Millions of people who use the Freecycle online forum to swap unwanted items may now have their passwords, email addresses, and other sensitive information traded on the dark web following a data breach this summer.
The operators of the Freecycle Network, which is based in the United States and also is registered in the UK, wrote in an online notice that they learned about the data breach August 30, though the bad actors behind the attack reportedly put some of the stolen information up for sale on a hacking forum weeks earlier.
The breach exposed a range of data, including usernames, user IDs, email addresses, and passwords, according to the company, whose online sites lets users trade possessions they no longer want rather than throw them away.
Included in the batch of stolen data were the credentials of Deron Beal, Freecycle’s founder and executive director. Freecycle claims more than 11 million users and some reports say the data of 7 million of them were exposed during the incident. The attacker reportedly had put some of the stolen data up for sale on a hacking forum as early as May.
The worry is that threat actors can use these credentials in phishing emails to access to user accounts and steal more data or use the information to launch credential-stuffing attacks, using the stolen credentials to log into other accounts, betting that some victims have used the same passwords for multiple online accounts.
