Freecycle gives users the gift of a security breach notice Freecycle, the charity aimed at recycling detritus that would otherwise be headed for landfill, has become the latest organization to suffer at the hands of cyber attackers and admit to a breach. The charity became aware on August 30 that user data had been "exposed" and issued urgent advice to all members that passwords would …
Iirc Freegle and Freecycle are 2 different entities?
I fell out with Freegle as their local mod team were on a Soviet Russia esque power trip and being utterly out of line by threatening to "add stuff to your file" - that got them told to get fucked and to delete my data
So henceforth near everything that would have gone via Freegle has been interfaced with the council rubbish bins
Looks like it's down to the local mod to send out the email, I had mine Sunday...
This is an automatic email containing a file from the Group.
---------------
On 30th August The Freecycle Network / Freecycle.org became aware of a data breach on Freecycle.org. As local Town group volunteer moderators we have been asked to reach out to you as a local group member to ask that you change your Freecycle.org password as soon as possible. We very much apologise for the inconvenience.
Further information on the breach and on how to change your password may be found here:
https://freecycle.helpscoutdocs.com/article/319-data-breach-august-2023
[and there is a "?" on that page if you have further questions]
The breach of data includes usernames, User IDs, email addresses and hashed passwords. Because of the exposure of personal passwords we are taking every measure to quickly inform members about the need to change their passwords. If you have used the same password elsewhere, you are well advised to change the password there as well. No other personal information was compromised and the breach has been closed and is being reported to the respective privacy authorities.
While most email providers do a good job at filtering out spam, you may notice that you receive more spam than usual. As always, please remain vigilant of phishing emails, avoid clicking on links in emails, and don't download attachments unless you are expecting them.
Here are some useful links to help keep you safe:
Find out what past data breaches have involved your personal information: https://haveibeenpwned.com/
Learn how to recognise and report phishing scams in the UK: https://www.gov.uk/report-suspicious-emails-websites-phishing
(USA) Learn how to recognize phishing emails: https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
Again, we thank you for your generous gifting locally and apologise for the hassle.
Sincerely yours,
Your Local Freecycle Moderators
"...Beal warned members: "Please remain vigilant of phishing emails, avoid clicking on links in emails, and don't download attachments unless you are expecting them.""
Er, with email, that's not how it works. Attachments are part of the email.
You won't normally get bits of an email, you'll get the whole thing, if for no other reason than that it might have a signature - and you can't verify the signature without having the entire email...
Having received it, it's then up to you to do whatever you wish with any attachments that might be in it.
Generally thesedays they're Windows executables, compressed and archived with Zip into a file which is renamed 'something.rar', and which is then archived *again* with zip.
Which was all a waste of time if you then send it to somebody who only runs Linux boxes, but then the average criminal isn't the sharpest tool in the drawer or he wouldn't be your average criminal.
Most of the time, for me at least, all this just means I report them to at least half a dozen organizations who explicitly ask to see copies of spammy and/or malicious messages.
Most of the other sites reporting this are claiming that the hash used was MD5, but there is a distinct lack of corroborating evidence (like, say, a statement from Freecycle).
For example,Tom's Guide is citing Bleeping Computer, and they are citing: "The stolen information includes usernames, User IDs, email addresses, and MD5-hashed passwords, with no other information exposed, according to Freecycle."
BUT that last link, the one to Freecycle? There is no mention of MD5 in there. Hmm.
Other sites are just repeating this, generally without even bothering to give a citation at all: TechRadar gives no direct citation for MD5, ditto GridinSoft, ditto SecureBlink.
From all this, the fact that The Register doesn't claim it was MD5 can be attributed to their being the only ones who felt like _checking_!
There may actually be a genuine reason to believe it was using MD5, but none of the above could be bothered to provide a citation and I can't be bothered to check any more "news" websites or "professional company" blogs - it is all too, too depressing.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
