Freecycle is an online forum dedicated to exchanging second-hand items, with nearly 11 million users from more than 5,300 local towns around the world. The forum recently suffered a large-scale data breach, affecting more than 7 million users.
The group said it discovered the breach last Wednesday (August 30), weeks after threat actors sold stolen data on a hacking forum and warned those affected to change their passwords immediately.
According to Freecycle, the stolen information this time included only usernames, user IDs, email addresses, and MD5-encrypted passwords.
Judging from the screenshots shared by the threat actor who sold the stolen information, the identity of Freecycle founder and executive director Deron Beal was stolen in the incident, which gave the threat actor full access to member information and forum posts.
In a notice posted on the homepage, Beal warned that Freecycle.org had experienced a data breach on August 30th and therefore advised all members to change their passwords as soon as possible and apologized for the inconvenience.
Freecycle data for sale, source: BleepingComputer
Freecycle recommends that users who use the same password in other online services change their passwords in case their accounts are compromised. To reset your Freecycle password, use one of two methods:
- From your profile settings scroll down to the password reset section
- Email from the password reset page
- Users should be aware that due to Freecycle's "email system being very busy at the moment", there may be a delay (up to one hour) in the process of resetting your password via email.
Freecycle said it also reported the incident to authorities after learning of the data breach.
Also, users are reminded that while most email providers do a good job of filtering spam, you may find that you are receiving more spam than usual.
As always, be vigilant about phishing emails, avoid clicking on links in emails, and refrain from downloading attachments.