Data Breach

Major data breach leaks passwords of seven million Freecycle users

Image credit: Istock

Freecycle said its servers suffered a data breach that may have exposed sensitive information for more than seven million users on the site.

The breach included usernames, user IDs, email addresses and passwords, and the firm has asked registered members to change their passwords.

Freecycle is a non-profit organisation that coordinates a worldwide network of ‘gifting’ groups in a bid to divert reusable goods from landfills.

The firm said the breach has been closed and it has been reported to the Information Commissioner’s Office (ICO) in the UK and authorities in the US.

In a post on its site, it said: “On August 30th we became aware of a data breach on Freecycle.org. As a result, we are advising all members to change your passwords as soon as possible. We apologise for the inconvenience.”

According to Bleepingcomputer.com, a hacker offered up the data for sale on a hacking forum in late May, although the source of the breach was only discovered last Wednesday.

An analysis of the breach showed that hackers were able to gain access to the credentials of Freecycle founder and executive director Deron Beal, which in turn gave them access to member details and forum posts.

Freecycle has around 11 million members in its userbase, from more than 5,300 towns worldwide.

While not the largest UK data breach, the incident still ranks relatively high in regards to the number of users affected.

In July 2017, hackers gained unauthorised access to about 10 million personal records and almost six million payment cards from Dixons Carphone (now Currys), which affected almost 14 million customers, by installing malicious software on over 5,000 tills across various locations across England. The ICO later fined the company £500,000 over its failure to secure its internal systems.

The second largest breach occurred in 2015, when credit monitoring firm Equifax admitted that details of more than 15 million UK customers had been accessed over a five-year period.

The ICO has not yet commented on the Freecycle breach or whether it plans to fine the firm.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles