Thread

πŸ›‘οΈ
Good morning. β˜€ Late last night I acted quickly to alert Nostr when I realized many of us were under a targeted attack. I have received some criticism for exposing the method that was used to reveal thousands of email addresses from Alby’s user database. I realize could have handled it differently, but I did what I believed at the moment to be the best interest of disclosure to help others. From what I could tell, the majority of damage had already been done. The email/password login feature has since been disabled, but anyone who already received an unexpected password reset should consider their email address doxxed. I do not believe there are any further risks. If you are using the browser extension, your nsec was not exposed by this, because that information never left your possession. This was simply a scrape of Nostr Lightning addresses used to exploit a vulnerability in a login function. There is a lot to be learned from this by everyone.

Replies (9)

↩ replying to saunter
I was looking into getalby.com domain MX records using
MX Lookup Tool - Check your DNS MX Records online - MxToolbox
 (very good tool to configure properly your email server) and I found these rules used for anti-spam and anti-phishing rules: DMARC actual v=DMARC1; p=none; rua=mailto:b02f99b6d44a47f595397b4b8fc195fd@dmarc-reports.cloudflare.net I would put a stronger DMARC with: v=DMARC1;p=reject;sp=quarantine;pct=10;rua=mailto:b02f99b6d44a47f595397b4b8fc195fd@dmarc-reports.cloudflare.net;ri=86400;aspf=r;adkim=r;fo=1; SPF v=spf1 include:zoho.eu include:spf.ourmailsender.com include:spf.mandrillapp.com ~all I would change ~all into -all In this way, in case of a phishing attack, the recipients email servers can reject more easily those phishing (fake) emails.
Hey, I don't think there is much else you could or should have done. You could have directly contacted us as we have direct communication channels open but likely by that time it was already worked on. Thanks for raising the warning and caring. Problem for sure was that we allowed people to enter lightning addresses - for which we sadly had a lot of support requests. So an email address could be exposed for a known lightning address. At the same time lots of requests have been sent with emails from some leaks (where no account exists) - that's always the case on the evil internet... Each of those request came from a different residential IP address (we have strict rate limits but the firewall did not catch all). We'll remove password logins those are too often a source of such problems. no account was at risk, Alby Hub and the Extension are anyway unaffected.
retarded services with all those forced accounts. submitting passwords and email addresses. salt or not matters zero. welcome to the 90s. what do these services teach their users. submit even more personal data. more every time, with every incident. every leak. on top of that funny lawmakers come up with submitting more and kyc and digital ids instead of actual self sovereign self host local encrypt. well done. great job. fuck yeah. #NDN #NamedDataNetworking.