Item Recycling Site Freecycle is Hit with a Massive Data Breach – Source: securityboulevard.com

Millions of people who use the Freecycle online forum to swap unwanted items may now have their passwords, email addresses, and other sensitive information traded on the dark web following a data breach this summer.

The operators of the Freecycle Network, which is based in the United States and also is registered in the UK, wrote in an online notice that they learned about the data breach August 30, though the bad actors behind the attack reportedly put some of the stolen information up for sale on a hacking forum weeks earlier.

The breach exposed a range of data, including usernames, user IDs, email addresses, and passwords, according to the company, whose online sites lets users trade possessions they no longer want rather than throw them away.

Included in the batch of stolen data were the credentials of Deron Beal, Freecycle’s founder and executive director. Freecycle claims more than 11 million users and some reports say the data of 7 million of them were exposed during the incident. The attacker reportedly had put some of the stolen data up for sale on a hacking forum as early as May.

The worry is that threat actors can use these credentials in phishing emails to access to user accounts and steal more data or use the information to launch credential-stuffing attacks, using the stolen credentials to log into other accounts, betting that some victims have used the same passwords for multiple online accounts.

Password Reuse is a Worry

That is why Freecycle in its online notice and in emails sent to users – as seen via a user on X (formerly Twitter) – is urging them to not only change the password for their Freecycle account but also to change it for any other site where it’s been used.

Password reuse is an ongoing security problem and is a driver for the ongoing drive among organizations like Microsoft, Google, and the FIDO Alliance toward a passwordless future.

As the number online accounts that people have proliferate, users who feel overwhelmed by the number of passwords they need to remember often will reuse passwords. According to a report last year by cybercrime statistics firm SpyCloud, 70% of users exposed in data breaches in 2021 reused passwords on multiple accounts.

The password reuse rate for employees with Fortune 1000 companies was 64%.

In the email to users, Freecycle said the passwords were hashed, a method of scrambling a password by turning plaintext into a string of seemingly random numbers. However, if a cybercriminal can decrypt the hashed password, they can use it to get into the account.

Keep an Eye Out for More Spam

Along with exposing account information, Beal wrote in the notice that users need to be on the lookout for an increase of spam showing up in their inboxes.

“While most email providers do a good job at filtering out spam, you may notice that you receive more spam than usual,” he wrote. “As always, please remain vigilant of phishing emails, avoid clicking on links in emails, and don’t download attachments unless you are expecting them.”

Freecycle said it has contacted law enforcement agencies in both the United States and the UK’s Information Commissioner’s Office (ICO).

The organization outlined two options for users to change their passwords, including going through the site’s settings, which requires the user to initially log into the site. However, if they can’t log in, they can request a password reset.

Beal launched The Freecycle Network in May 2003 in Arizona as a way of keeping unwanted items out of landfills by creating an online site where users can swap them. Freecycle has a global reach with more than 5,300 local “Town” groups around the world.