Freecycle users told to change passwords after data breach

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Freecycle users told to change passwords after data breach

Freecycle, an online community that encourages sharing unwanted items with eachother than chucking them in the bin or taking them to landfill, has told users to change their passwords after it suffered a data breach.

An announcement on the Freecycle website was the first I knew about the security breach, as – at the time of writing – despite being a member of the site I still haven’t received any other notification from the community.

Freecycle announcement

On August 30th we became aware of a data breach on Freecycle.org. As a result, we are advising all members to change their passwords as soon as possible. We apologize for the inconvenience and would ask that you watch this space for further pending background. Deron Beal, Executive Director, The Freecycle Network

More information is shared on the Freecycle knowlegebase, where users are advised on how to change their passwords.

Freecycle says that the data breach “includes usernames, User IDs, email addresses and hashed passwords.” No mention is made regarding the hashing algorithm used or whether the passwords were also salted – which would be useful information to know when assessing how likely it is that passwords will be cracked.

Sign up to our free newsletter.
Security news, advice, and tips.

Regardless, it’s certainly a good idea to change your Freecycle password – but also to ensure that you are not using the same password anywhere else on the internet.

Although you may not be overly worried about someone accessing your Freecycle account, you definitely don’t want to make it easy for a malicious hacker to break into your other online accounts.

You should make it a habit to never use the same password on different sites.

If you find passwords a burden – simply use password management software like 1Password or Bitwarden to make them both safer and easier to remember.

You should also assume that cybercriminals now have your email address too – which may mean that Freecycle users can expect to receive phishing emails designed to trick them into sharing more information.

As ever, be careful out there.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

4 comments on “Freecycle users told to change passwords after data breach”

  1. Deron Beal

    Thanks, Graham. Emails are going out to members as well but it takes time to get information out to group moderators and to members via email without getting blacklisted as a site, thus the banner right away on site as a stopgap. The info is also in our Newswire and in daily post emails to active members on the right, and a few other places. Breach was found Wednesday.
    Best,
    Deron Beal, Executive Director, The Freecycle Network

  2. Basil

    Can you introduce 2-step verificationto avoid similar P/W leakages in the future?

  3. Joann Felters

    Not a problem to change my password. Thank you for the notification.

  4. Phesten Chebler (invented name)

    Most data breaches result from phishing emails to those who have some administrative access and respond to plausibly (almost) requests/communications. Sounds like an admin of some sort and responded to such, or clicked on an emailed link and allowed the perpetrators access to sensitive information… It could be that the system was not as secure as it should have been at source (the host site for example). Thankfully, I do not use my actual email address but one which was created to subscribe to Freecycle ONLY.. or my real and very personal email would have been compromised as a result. Recommendation… create a new email account for FreeCycle only (secondary gmail say, using an email address specific to Freecycle communications). This is what I did and ONLY Freecycle alerts arrive at this secondary address. Be careful out there. Don't click on links in emails even if they seem to be from someone you know. Ponder on any email you receive as if it is out to steal your information.

    I spent 20+ years in an NH school district IT role and have seen everything related to data breaches courtesy of more than capable, intelligent people clicking on links or responding to seemingly "genuine" requests from district administrators. Question anything that seems unlikely or too good to be true.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.