The FreeNAS web GUI should not be exposed to the Internet, on any port (port 80 would be even worse, since that's the standard HTTP port, but attackers tend to use port scans anyway, so using a non-standard port won't really buy you much in terms of security), because it isn't designed or secured for that application. You've left it exposed, on the standard port, for two weeks. There's no way of knowing what could have happened in that time. Your system could be fine, with a password change a mere precaution. Or it might be totally pwned, and part of a botnet that's trying to hack into NORAD.
The problem is that if someone has managed to log in to the web GUI, they have full root shell access to your server. They can do anything--install any software, modify any configuration, install any rootkit, etc. Some of these things are undetectable.
There are two safe ways of accessing your FreeNAS server remotely: (1) through a VPN, ideally set up at the router; or (2) via SSH, to include SSH tunneling. Forwarding anything from the Internet to any port on your FreeNAS server other than the port being used for SSH is highly insecure. Forwarding ports to jails may be secure or not, depending on how those jails are set up (I haven't heard of vulnerabilities related to forwarding 32400 to the Plex Server, but forwarding port 22 to a jail running Telnet wouldn't be safe at all).
When it comes to network and server security, "am I being paranoid?" isn't the question to ask. The question should be, "am I being paranoid enough?"