This Reg article claims the data was password hashes using an undisclosed hashing algorithm: https://www.theregister.com/2023/09/05/freecycle_becomes_the_latest_data

So why not say that in the main advisory on the website? It'd be just a tiny bit reassuring to know they at least made an effort, rather than release a statement saying "passwords" had been stolen.