Freecycle Data Breach May Have Impacted Millions of Users
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
Non-profit organization Freecycle announced that it had suffered a data breach incident last month. The announcement posted on its homepage states that it became aware of the attack on August 30 and as a result advises its members to change their passwords.
The US-based Freecycle Network is used by millions of people across the world to recycle used items. The organization claims to have over 9 million members across 5,000 towns worldwide.
According to the notification , it had already notified about the data breach to the concerned US authorities and UK’s data protection regulator, Information Commissioner’s Office (ICO). The organization is registered as a charity organization in the UK.
Freecycle’s disclosure confirms the authenticity of the sample data posted on a hacking forum in June 2023. The data set was said to contain login credentials of around 7 million members. The organization’s internal investigation reveals that the stolen information includes, ‘’usernames, User IDs, email addresses and hashed passwords’’.
‘’Because of the exposure of personal passwords we are taking every measure to quickly inform members about the need to change their passwords,” the notice read.
“If you have used the same password elsewhere, you are well advised to change the password there as well. No other personal information was compromised and the breach has been closed and is being reported to the respective privacy authorities.”
In addition to the notice on its website, the company is urging grassroot volunteer moderators to reach out to other members regarding the data breach and password reset information.
The organization has provided password reset solutions to members:
- Visit https://www.freecycle.org/home/settings/ and go to My Settings and select Password Reset option.
- Visit https://freecycle.org/login?reset-password and request a password reset link via email.
Although no financial information was breached, the compromised users are still vulnerable to account hijacking and phishing attacks, especially where similar credentials have been used.
Data Security Incident at Forever 21 Impacts Nearly Half a Million Individuals
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
The renowned fashion retailer, Forever 21, in a notification disclosed a data breach incident that is said to have affected over 500K of its current and former employees. The breach in no way impacted the customers of the company.
In the sample letter submitted to the Maine Attorney General’s Office, the Los Angeles-headquartered company revealed that it had identified a cyberattack on some of its systems on March 20.
The attack which is said to have occurred over a period of over two months, saw an unidentified hacker gain access to its systems multiple times between January 5 to March 21, 2023. Post discovery, the company partnered with a cybersecurity firm and launched an investigation.
During the investigation, the company found that the unidentified third-party had used the attack to extract company data. ‘’Findings from the investigation indicate the unauthorized third party obtained select files from certain Forever 21 systems during this time period,’’ the notice read.
In August, Forever 21 sent out notices to the affected 539,207 individuals, wherein they discussed the incident in its entirety along with information on the stolen personal data.
The stolen information included, full name, Social Security Number (SSN), date of birth, bank account number (without access code or pin), Forever 21 health plan details, including the individuals’ enrolment and premium paid details.
In the notification, the company also notes that there was no evidence regarding any misuse of stolen data. “We have no evidence to suggest your information has been misused for purposes of fraud or identity theft as a result of this incident – and no reason to believe that it will be.’’
While no details were shared about the attack or the attacker behind the incident. From the company’s statement, it can be deduced that it had engaged with the hackers to ensure that the stolen data was erased and not used for any fraudulent activities.
As a precaution, it is also providing a 12-month complimentary fraud and identity protection service to the affected individuals.
