Thread

We don't need fear tactics, it's likely just their email provider, they are reporting many issues on X right now, this is one of them @Uno

That sucks. Never used Alby.

😂

Nice one, @Alby . Come on, basics of privacy and security and you failed them. WTF?

I got a ‘reset your password’ email that I never requested today 👀

Is my nsec safe ?

Responsible disclosure matters and this is not the way to do it… I have already PMed @bumi. While there is urgency for people to change their emails to a throwaway, you should not be disclosing how/why it works. We don’t need 1000 people with access to the e-mails instead of 1. Attackers are usually faster than users/devs too.

I wonder if the emails they send will end up in the phishing folder.

Shit.. I received the password reset mail too

Does anyone really sign up using a real (daily use / KYCed) email address?? Just asking for some friends.

BTC glub glub glub

Exactly ! Got a password change request but changed my LN provider a while ago. So old infos are going round …..

KYC + pseudonymity is bad When will Bitcoiners learn?

If they ask for an email they ask for a unique identifier, when they don't need one. Don't support data hoarders my friends. Support those underground projects that give you access to everything over onion or i2p.

this is why i never used my actual email address and use aliases for everything. email gets put on some list? cool, delete the alias and move on.

Just in case you received the Alby password reset email and had no idea why 👇🏼 View quoted note →

My LN address and Alby email are not the same and still got a password reset request

Bitcoin fixes this

“We also offer the option to sign in with Google.” LOL, I don't spend so much energy every day trying to free myself from Google for that! I use Linux and /e/OS because I don't want anything to do with Google. I deleted all my Alby accounts for security reasons. I didn't really have any use for them anyway...

------------------------------------------------- Privacy and Other Related Stuff ------------------------------------------------- Keep private. 1️⃣Use email alias forever on each service 2️⃣Use 2FA - not sms - whenever possible 3️⃣Delete all services that you dont use 4️⃣Encrypt everything. No busques la perfección. Una acción cada vez y mejorar cada día. ------------------------------- End of transmission -------------------------------

I will never use a service that offers to use Google to log in.

Holy forking shirt!!!! Recommendations?

This is why I run my own node hardware 🥲

If a wallet asks for any information, it's an absolute no for me, dawg.

It was scary morning tho 🥹🥹 I started panicking a bit. I guess it's time for email aliases clean up xd

That's how they got my single-use email alias

Update: View quoted note →

Received a bunch of these emails to reset alby recently, including for old abandoned/test accounts. I was getting suspicious.

Thank you! I removed my alby address from my Nostr profile for now

FWIW - email from Alby Support: Overnight we have received notices of some unusual requests to our infrastructure. Over a short period of time many password reset emails had been requested from various residential proxies around the world. Our rate limiting protects against spamming attacks but requests got through to request password reset emails. Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed by their owner. Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker. We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email can ignore the email. As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from some data leaks we have fully disabled password logins and require all users to login with the one time token. This adds an another layer of security. Additionally we also offer the option to login with Google. Please note: only Alby Accounts use email-based login. Alby Hub, the Alby Browser Extension, and Alby Go are not affected.

my email has been leaked many times. You can search your email in have I been pawned website and it shows you all the leaks. I'm not worried, I get phishing emails all the time. They go straight to my spam folder

HOLY SHIT, WHAT A MESS 🤑 👇

Thank squid for per account email aliases. Compartmentalization is a big part of security.

Requiring an email address is what has always kept me away. And no, not going to just spin up a burner email, just not gonna do it. Stop asking for emails and stop providing them.

dont you like data hoarding and accountitis? leak away. the more the merrier. fuck accounts. and credentials #NDN