More than seven million people may have had sensitive information stolen after a data breach on Freecycle’s servers.
The organization has published a warning on its website, described what had happened and urged its users to immediately change their credentials.
Freecycle is a non-profit organization that connects people who want to trade used items instead of throwing them away.
Freecycle Violation
“On August 30, we became aware of a data breach on Freecycle.org,” the organization writes in its statement. “As a result, we advise all members to change their passwords as soon as possible.”
“We apologize for the inconvenience and ask that you watch this space for further ongoing background information.”
The attack appears to have happened months before, even before June, when the Freecycle database was already for sale on the dark web, including data such as usernames, user IDs, email addresses, and MD5 hashed passwords.
By analyzing the screenshots posted by the attackers, Bleeping Computer concluded that it was Freecycle founder and executive director Deron Beal who had his credentials stolen, giving the attackers keys to the kingdom.
After discovering the breach, the organization contacted the police, adding that users should be wary of possible phishing attacks and other scams coming their way: “While most email providers do a good job in filtering spam, you may receive more spam than usual,” the warning reads.
“As always, stay vigilant for phishing emails, don’t click on links in emails, and don’t download attachments unless you’re expecting them.”
In addition to phishing, this type of information can also be used in identity theft and bank fraud.
Freecycle is a large organization with nearly 11 million members in more than 5,000 cities around the world.