PortableFreeware.com's user database was apparently hacked and posted online on July 5th and hacked again July 31st and posted online on August 23rd according to user posts in their forum and Twitter. Usernames, email addresses and password hashes (MD5) were apparently posted. Everyone who has an account on PortableFreeware.com is urged to change their password to something unique to PortableFreeware.com and change any other sites (email, forums, banking, etc) that they use the same password on. While the password hash itself is not a password, a password could be determined from a hash using several methods. It is unclear if the site is still vulnerable to the vulnerability that was used to download the user database. No official announcement has yet been made.
I know of several members on PortableApps.com who are also members of PortableFreeware.com, so I wanted to be sure folks here who have accounts there were aware of the issue. For future safety, it's always best to use secure passwords like those generated by KeePass and similar tools and ensure that you use a unique password for every site.
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
So hopefully it doesn't do (too) much damage.
The problem is that you can't really know. It was posted on twitter and re-tweeted, so it could be posted elsewhere as well. And Andy hasn't responded on whether he's patched phpBB yet.
Sometimes, the impossible can become possible, if you're awesome!
So basically 7+ weeks ago. And people have just now noticed?!?
Ed
It may have been hacked twice. Something was posted to pastebin on July 5th. Another copy was posted yesterday and tweeted. That one seems to have been taken down. The hack for the one posted yesterday occurred at the end of July. So the site has been vulnerable for a while. Andy hasn't made an announcement yet, so I'm honestly not sure of the chain of events or if the site is still vulnerable. I just heard about it so I wanted any folks here who were also members of PFC to know so they could update passwords and such.
UPDATE: I went back and researched and it seems to be 2 separate incidents by 2 different people/groups. I've updated the main topic to reflect this.
Sometimes, the impossible can become possible, if you're awesome!
Yeah, I'm one that has an account here and over there as well. I did change my account password yesterday as soon as I read the thread over on TPFC, but I was disturbed that there was apparently at least one other incident back in July that there was no notice given of.
Thankfully, I use a password manager and generally have a different password for each and every site, so at least in this case, only TPFC was using the password I had for it. However, even though my username wasn't apparently in the letters of the alphabet compromised (according to the thread), the email account associated with it has received a sudden influx of spam, whereas previous I only ever had 1 single spam to it (account created specifically for forum logons). I had about 4 on the same day yesterday - not a lot in a day to day sense, but considering the account was created a few months ago and the spam count had been one single message in that time, it is a 400% increase relatively. It could be coincidence (spam levels do rise and fall after all), but it could be that the other letters of the alphabet were compromised as well despite what was posted over at TPFC.
*sad face*
The irony is that I only signed up for an account over there when they blocked anonymous posting of comments on program entries, I had no need for an account otherwise.
Regards.
Edit: Actually, according to the thread now they did in fact get the whole alphabet, the other letters were apparently compromised in a second attempt. So yeah - I guess the spam increase would not be co-incidental.
I used to have a sig...until one of the mods ate it