So turns out Pillowfort is aptly named in the “exactly as robust as it sounds” sense.
More thoughts here, but tl;dr people pointed exactly these issues out over a year ago and Pillowfort told us they’d been fixed. They lied.
Serious Professional Advice: If you have a Pillowfort account… don’t. Assume all data you’ve ever posted there—from your passwords to your post content—is compromised. If you’ve used the same password at Pillowfort that you’ve used on any other service, change it on all those other services.1
They aren’t going to learn and they aren’t going to get better; Pillowfort is a get-rich-quick scheme for its creators who want to be fandom billionaires and don’t care what damage they do to get there. Do not let them get away with it.
- Also please don’t reuse passwords. [↩]