The SQL injection issues, at least all that I could find, are fixed. The first alert was on March 18th. That went out via:
- Twitter account
- status page
- a notice on the top of each page of the website
See also FreshSource code fixes.
Short version
- everything we know about is fixed
- we saw no evidence of data being obtained
- we have no proof it was not obtained
The safest procedure: change your FreshPorts password. Anything you had set before Friday March 24 2023 09:49:20 UTC should be changed.
If you used the same login credentials somewhere else, you should change that too.
Long version
For you to be at risk, I would expect:
- the data on FreshPorts to have been accessed (there is no evidence either way)
- the hashes to have been cracked
- you used the same FreshPorts login information somewhere else
- The attacker then knows where that somewhere else is
From FreshPorts, the most valuable thing they might get is the list of packages you are tracking. We don’t have home addresses, phone numbers, or credit card information.
Sorry about this.
