Freecycle suffers serious breach of user data

Millions of users urged to change passwords urgently

Popular not-for-profit Freecycle network has confirmed it suffered a serious data breach at the end of last month.

In a statement the organisation said it became aware of the breach last week, but the breach itself may have occurred years ago. The statement said:

"On August 30th we became aware of a data breach on Freecycle.org. As a result, we are advising all members to change your passwords as soon as possible. We apologize for the inconvenience."

According to the organisation, the stolen data includes usernames, User IDs, email addresses, and MD5-hashed passwords. The fact that the whole point of Freecycle is giving objects away in preference to sending them to landfill means that the organisation doesn't store any user financial data.

The statement continues:

"While most email providers do a good job at filtering out spam, you may notice that you receive more spam than usual," users were advised.

"As always, please remain vigilant of phishing emails, avoid clicking on links in emails, and don't download attachments unless you are expecting them."

Commenting to The Register, Freecycle Executive Director Deron Beal said:

"We believe a server may have been exposed a couple years ago. And it looks to be an old breach as the data samples are old. The server in question is no longer exposed.

"Still, if someone hasn't changed their password, they should do so. Even though the data on Freecycle.org is not sensitive, some individuals may be using the same password elsewhere where data is more sensitive in nature."