Thread

Overnight we have received notices of some unusual requests to our infrastructure. Over a short period of time many password reset emails had been requested from various residential proxies around the world. Our rate limiting protects against spamming attacks but requests got through to request password reset emails. Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed by their owner. Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker. **We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email can ignore the email.** As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from some data leaks we have fully disabled password logins and require all users to login with the one time token. This adds an another layer of security. Additionally we also offer the option to login with Google. If you have questions or feedback, please let us know: support.getalby.com

Replies (71)

↩ replying to Keysa - Simplest Bitcoin Edu
They don't break any server, by using your public alby address in nostr, they just requested a password reset. This is not scam email, it's real email from Alby. The hack consists of that they can get your email from your Alby address, but to do so they have to trigger password reset. Everything is pretty safe, don't worry. Just make sure use strong passwords and have in mind for any incoming emails with email address connected to Alby account
↩ replying to bumi
It's definitely unpleasant that it happened. But one must be careful on the internet. I personally, using tools to check for data leaks, have seen emails leaked from other much bigger companies and software. That's why personal culture regarding cybersecurity is an important thing. I'm also 99% sure that a large part of these emails have already been leaked somewhere else. That's why it's good to use email masking services.
↩ replying to atyh
We've seen many attacks where it seemed attackers have used emails + passwords from different breaches. If you want get a picture of which breaches your email was included in:
Have I Been Pwned
Have I Been Pwned: Check if your email address has been exposed in a data breach
Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.
 However, we also recognize that Alby emails could have been exposed through the reset password system as mentioned already in this announcement and we have made the necessary changes to ensure affected users are not at risk of losing their funds.
↩ replying to Susana Chicoria
Hey Susana, the Alby Browser Extension is open-source. You can check all changes and verify that there was no update that could have caused such a behavior:
GitHub
GitHub - getAlby/lightning-browser-extension: The Bitcoin Lightning Browser Extension that brings deep Lightning & Nostr integration to the web. Wallet interface to multiple lightning nodes and key signer for Nostr, Liquid and onchain use.
The Bitcoin Lightning Browser Extension that brings deep Lightning & Nostr integration to the web. Wallet interface to multiple lightning nodes...
Hey @Alby - please allow passkey login. My account shouldn’t be constrained solely by email. Email is not a suitable 2FA method. Username + password + TOTP or email token + TOTP are good, but Passkey is better because it requires a device you possess already and doesn’t rely on email that’s phishable. I’ve seen other sites go further and require TOTP after a Passkey too, fwiw. Point being, give uses the option for real 2FA decoupled from email.
What did you think people were going to do with their Lightning addresses if not give them out? You're trying to sell a basic form security failure as a feature and that's the problem. You gave everyone easy access by breaking a fairly old convention at this point. No other breach was necessary here, so that's a distraction. Discuss how you're going to pay someone to audit your stack to look for other failures if you want to earn trust. Implement optional hardware and OTP 2FA alongside email confirmation if you haven't. Login with Google?...