back to article Freecycle gives users the gift of a security breach notice

Freecycle, the charity aimed at recycling detritus that would otherwise be headed for landfill, has become the latest organization to suffer at the hands of cyber attackers and admit to a breach. The charity became aware on August 30 that user data had been "exposed" and issued urgent advice to all members that passwords would …

  1. Hans Neeson-Bumpsadese Silver badge

    all members should change their passwords as soon as possible

    I wonder when they're going to tell members that. I've been a Freecycle member for years, but I've not seen any emails form them to warn me about this data breach.

    1. getHandle

      I've had an email - yesterday, IIRC.

    2. DJV Silver badge

      I've changed my password. But, no, I didn't get an email about the breach from Freegle, either.

      1. CountCadaver Silver badge

        Iirc Freegle and Freecycle are 2 different entities?

        I fell out with Freegle as their local mod team were on a Soviet Russia esque power trip and being utterly out of line by threatening to "add stuff to your file" - that got them told to get fucked and to delete my data

        So henceforth near everything that would have gone via Freegle has been interfaced with the council rubbish bins

    3. terry 1

      Looks like it's down to the local mod to send out the email, I had mine Sunday...

      This is an automatic email containing a file from the Group.

      ---------------

      On 30th August The Freecycle Network / Freecycle.org became aware of a data breach on Freecycle.org. As local Town group volunteer moderators we have been asked to reach out to you as a local group member to ask that you change your Freecycle.org password as soon as possible. We very much apologise for the inconvenience. 

      Further information on the breach and on how to change your password may be found here:

      https://freecycle.helpscoutdocs.com/article/319-data-breach-august-2023

         [and there is a "?" on that page if you have further questions]

      The breach of data includes usernames, User IDs, email addresses and hashed passwords. Because of the exposure of personal passwords we are taking every measure to quickly inform members about the need to change their passwords. If you have used the same password elsewhere, you are well advised to change the password there as well. No other personal information was compromised and the breach has been closed and is being reported to the respective privacy authorities. 

      While most email providers do a good job at filtering out spam, you may notice that you receive more spam than usual. As always, please remain vigilant of phishing emails, avoid clicking on links in emails, and don't download attachments unless you are expecting them. 

      Here are some useful links to help keep you safe:

      Find out what past data breaches have involved your personal information: https://haveibeenpwned.com/  

      Learn how to recognise and report phishing scams in the UK: https://www.gov.uk/report-suspicious-emails-websites-phishing 

      (USA) Learn how to recognize phishing emails: https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

      Again, we thank you for your generous gifting locally and apologise for the hassle.

      Sincerely yours,

      Your Local Freecycle Moderators

    4. FrogsAndChips Silver badge

      I was notified 3 days ago. I'm not using my primary email address for Freecycle (not even a secondary one), so I wasn't aware until I came across this article. Have you checked the address you use for them?

    5. Ramis101

      No email received here. This is the first i have heard about it.

  2. sitta_europea Silver badge

    "...Beal warned members: "Please remain vigilant of phishing emails, avoid clicking on links in emails, and don't download attachments unless you are expecting them.""

    Er, with email, that's not how it works. Attachments are part of the email.

    You won't normally get bits of an email, you'll get the whole thing, if for no other reason than that it might have a signature - and you can't verify the signature without having the entire email...

    Having received it, it's then up to you to do whatever you wish with any attachments that might be in it.

    Generally thesedays they're Windows executables, compressed and archived with Zip into a file which is renamed 'something.rar', and which is then archived *again* with zip.

    Which was all a waste of time if you then send it to somebody who only runs Linux boxes, but then the average criminal isn't the sharpest tool in the drawer or he wouldn't be your average criminal.

    Most of the time, for me at least, all this just means I report them to at least half a dozen organizations who explicitly ask to see copies of spammy and/or malicious messages.

    1. Dan 55 Silver badge

      If you're downloading via IMAP you can download attachments separately from the main body.

    2. FrogsAndChips Silver badge

      Most webmails will show you attachments as a link or an icon, so the download will only happen if you click on it.

    3. kjhenmb

      With Email client using an IMAP account, you can view the email in received your account without downloading the attachment to the device you're viewing on.

  3. Anonymous Coward
    Anonymous Coward

    MD5 Hashed Passwords

    Might as well have been plain text *face palm*.

    1. Anonymous Coward
      Anonymous Coward

      Re: MD5 Hashed Passwords

      Who said they were hashed using MD5??

      1. that one in the corner Silver badge

        Re: MD5 Hashed Passwords

        Most of the other sites reporting this are claiming that the hash used was MD5, but there is a distinct lack of corroborating evidence (like, say, a statement from Freecycle).

        For example,Tom's Guide is citing Bleeping Computer, and they are citing: "The stolen information includes usernames, User IDs, email addresses, and MD5-hashed passwords, with no other information exposed, according to Freecycle."

        BUT that last link, the one to Freecycle? There is no mention of MD5 in there. Hmm.

        Other sites are just repeating this, generally without even bothering to give a citation at all: TechRadar gives no direct citation for MD5, ditto GridinSoft, ditto SecureBlink.

        From all this, the fact that The Register doesn't claim it was MD5 can be attributed to their being the only ones who felt like _checking_!

        There may actually be a genuine reason to believe it was using MD5, but none of the above could be bothered to provide a citation and I can't be bothered to check any more "news" websites or "professional company" blogs - it is all too, too depressing.

  4. Anonymous Coward
    Anonymous Coward

    MD5 Hashed Passwords

    Might as well have been plain text.

    1. Anonymous Coward
      Anonymous Coward

      Re: MD5 Hashed Passwords

      Echo cho cho cho

  5. MJI Silver badge

    Gave up on all of them

    All are on power trips, rejecting things due to slight formatting errors, not saying name of town in name of town group, that sort of thing.

    All to do their petty dictator crap.

    So use charity shops and local tip, much easier.

    1. Chris Evans

      Re: Gave up on all of them

      I've used freecycle quite a few times, both giving away and receiving. There can be a few niggles but nothing to worry about.

      1. FrogsAndChips Silver badge

        Re: Gave up on all of them

        Same here. I've had more issues with time wasters that never collect the items than with admins.

      2. MJI Silver badge

        Re: Gave up on all of them

        It ended up more or less disappearing around here as too rigid rules.

        Replacement started down same route, just got too much work to offer stuff.

        So donated more to charity shops if of use.

  6. Archivist

    Oh no!

    The miscreants can find out what I give away!

  7. Charles Smith

    Spammed

    I've already had a couple of spam/hack emails linked to my freecycle email address. Always use different password for any login.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like