Freecycle, an online community that encourages sharing unwanted items with eachother than chucking them in the bin or taking them to landfill, has told users to change their passwords after it suffered a data breach.
An announcement on the Freecycle website was the first I knew about the security breach, as – at the time of writing – despite being a member of the site I still haven’t received any other notification from the community.
On August 30th we became aware of a data breach on Freecycle.org. As a result, we are advising all members to change their passwords as soon as possible. We apologize for the inconvenience and would ask that you watch this space for further pending background. Deron Beal, Executive Director, The Freecycle Network
More information is shared on the Freecycle knowlegebase, where users are advised on how to change their passwords.
Freecycle says that the data breach “includes usernames, User IDs, email addresses and hashed passwords.” No mention is made regarding the hashing algorithm used or whether the passwords were also salted – which would be useful information to know when assessing how likely it is that passwords will be cracked.
Regardless, it’s certainly a good idea to change your Freecycle password – but also to ensure that you are not using the same password anywhere else on the internet.
Although you may not be overly worried about someone accessing your Freecycle account, you definitely don’t want to make it easy for a malicious hacker to break into your other online accounts.
You should make it a habit to never use the same password on different sites.
If you find passwords a burden – simply use password management software like 1Password or Bitwarden to make them both safer and easier to remember.
You should also assume that cybercriminals now have your email address too – which may mean that Freecycle users can expect to receive phishing emails designed to trick them into sharing more information.
As ever, be careful out there.
Thanks, Graham. Emails are going out to members as well but it takes time to get information out to group moderators and to members via email without getting blacklisted as a site, thus the banner right away on site as a stopgap. The info is also in our Newswire and in daily post emails to active members on the right, and a few other places. Breach was found Wednesday.
Best,
Deron Beal, Executive Director, The Freecycle Network
Can you introduce 2-step verificationto avoid similar P/W leakages in the future?
Not a problem to change my password. Thank you for the notification.
Most data breaches result from phishing emails to those who have some administrative access and respond to plausibly (almost) requests/communications. Sounds like an admin of some sort and responded to such, or clicked on an emailed link and allowed the perpetrators access to sensitive information… It could be that the system was not as secure as it should have been at source (the host site for example). Thankfully, I do not use my actual email address but one which was created to subscribe to Freecycle ONLY.. or my real and very personal email would have been compromised as a result. Recommendation… create a new email account for FreeCycle only (secondary gmail say, using an email address specific to Freecycle communications). This is what I did and ONLY Freecycle alerts arrive at this secondary address. Be careful out there. Don't click on links in emails even if they seem to be from someone you know. Ponder on any email you receive as if it is out to steal your information.
I spent 20+ years in an NH school district IT role and have seen everything related to data breaches courtesy of more than capable, intelligent people clicking on links or responding to seemingly "genuine" requests from district administrators. Question anything that seems unlikely or too good to be true.