Freecycle gives users the gift of a security breach notice

Change your passwords. And maybe give the recycling a miss this time

Updated Freecycle, the charity aimed at recycling detritus that would otherwise be headed for landfill, has become the latest organization to suffer at the hands of cyber attackers and admit to a breach.

The charity became aware on August 30 that user data had been "exposed" and issued urgent advice to all members that passwords would need to be changed. It also warned users to beware of an uptick in spam emails due to the details extracted.

Executive director Deron Beal said: "The data breach includes usernames, User IDs, email addresses and hashed passwords."

Although hashed – Freecycle did not elaborate on the hashing technique used – the exposure of the passwords means that a change would be prudent regardless.

Beal said that while the outfit doesn't have access to the actual list, "Shefa" on breachforums is claiming 7 million accounts and passwords with 31 (legitimate looking) 31 samples.

Also, if – heaven forbid – that same password has been used elsewhere, those should also be changed. Don't reuse passwords, ok?

Beal went on to say the breach had been closed and regulatory authorities notified. In a separate notification, Freecycle said UK data watchdog ICO and "the appropriate US authorities" were informed.

While Freecycle did not immediately respond to a request for comment regarding how the data was accessed, Beal warned members: "Please remain vigilant of phishing emails, avoid clicking on links in emails, and don't download attachments unless you are expecting them."

Data from the breach, including Beal's own credentials, reportedly turned up on hacking forums before Freecycle posted its notification.

Beal kicked off US-based Freecycle in 2003, aimed at recycling items for free rather than throwing them away. It began in Tuscon, Arizona and has since spread to more than 110 countries. It is made up of more than 5,000 local town groups with over 9 million members around the world.

The organization has yet to confirm how many of those nine million members have had their details exposed in the attack – although some reports put the figure at seven million. Its advice therefore stands – all members should change their passwords as soon as possible.

Just don't recycle an old one. ®

Updated to add:

Freecycle supremo Deron Beal has been in touch since the publication of the article with a few updates. Asked what data was taken, he responded: "Username, ID, email, hashed password. That's basically all the personal information we have on as a charitable nonprofit recycling and used-item gifting community (no address, phone number, financial info etc as all posts of items are for free)."

When asked how the breach occurred, he said: "We believe a server may have been exposed a couple years ago. And it looks to be an old breach as the data samples are old. The server in question is no longer exposed.

"Still, if someone hasn't changed their password, they should do so. Even though the data on is not sensitive, some individuals may be using the same password elsewhere where data is more sensitive in nature."

More about


Send us news

Other stories you might like