The SQL injection issues, at least all that I could find, are fixed. The first alert was on March 18th. That went out via:
See also FreshSource code fixes.
- everything we know about is fixed
- we saw no evidence of data being obtained
- we have no proof it was not obtained
The safest procedure: change your FreshPorts password. Anything you had set before Friday March 24 2023 09:49:20 UTC should be changed.
If you used the same login credentials somewhere else, you should change that too.
For you to be at risk, I would expect:
- the data on FreshPorts to have been accessed (there is no evidence either way)
- the hashes to have been cracked
- you used the same FreshPorts login information somewhere else
- The attacker then knows where that somewhere else is
From FreshPorts, the most valuable thing they might get is the list of packages you are tracking. We don’t have home addresses, phone numbers, or credit card information.
Sorry about this.