Thread - Hyper

Alby 🛡️ 2 months ago

Overnight we have received notices of some unusual requests to our infrastructure. Over a short period of time many password reset emails had been requested from various residential proxies around the world. Our rate limiting protects against spamming attacks but requests got through to request password reset emails. Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed by their owner. Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker. **We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email can ignore the email.** As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from some data leaks we have fully disabled password logins and require all users to login with the one time token. This adds an another layer of security. Additionally we also offer the option to login with Google. If you have questions or feedback, please let us know: support.getalby.com

Replies (46)

⚡ Dee Kay ⚡🇸🇪🇬🇧🇨🇿🇧🇷🇦🇹 🛡️ 2 months ago

Thank you for the transparency. Just a note, my alby login email address has only ever been used wirh alby so it couldn't have come from another data leak.

Sid Shattuck 2 months ago

↩ replying to ⚡ Dee Kay ⚡🇸🇪🇬🇧🇨🇿🇧🇷🇦🇹

Same situation here

ₓₒbₗₒᵣₜ 🛡️ 2 months ago

↩ replying to Sid Shattuck

aren't this economic valid requests because they are technically possible and filters dont work?!🎉🤔😎

chrizzz 2 months ago

↩ replying to ⚡ Dee Kay ⚡🇸🇪🇬🇧🇨🇿🇧🇷🇦🇹

Same

JotaJillo 2 months ago

↩ replying to ⚡ Dee Kay ⚡🇸🇪🇬🇧🇨🇿🇧🇷🇦🇹

Same here

Cameri🐦‍🔥 2 months ago

↩ replying to ⚡ Dee Kay ⚡🇸🇪🇬🇧🇨🇿🇧🇷🇦🇹

They said password requests were also made against lightning address which is public information. That shouldn’t be possible going forward 🙏

The BTC Philanthropist 2 months ago

↩ replying to Cameri🐦‍🔥

Yep - good to see it's fixed. Thanks @Alby for quick turnaround I want to point out I saw this posted on NOSTR yesterday which was pretty instant and the fact a thread of people calling out to Alby for information worked so well... And alby gets back to us with nostr... Its just so great to see!

The BTC Philanthropist 2 months ago

↩ replying to Cameri🐦‍🔥

In this case are you guys going to change account email if your reset was triggered by lightning address?

Cameri🐦‍🔥 2 months ago

↩ replying to The BTC Philanthropist

I changed mine cause I don’t just have one email address.

The BTC Philanthropist 2 months ago

↩ replying to Cameri🐦‍🔥

Email alias for the win

⚡ Dee Kay ⚡🇸🇪🇬🇧🇨🇿🇧🇷🇦🇹 🛡️ 2 months ago

↩ replying to Cameri🐦‍🔥

I didn't have a public lightning address. My account email address was only known by Alby

Sal Castanedo 2 months ago

↩ replying to ⚡ Dee Kay ⚡🇸🇪🇬🇧🇨🇿🇧🇷🇦🇹

Same here, I realized it was a data breach as the email address I used for Alby was made only for that.

⚡ Dee Kay ⚡🇸🇪🇬🇧🇨🇿🇧🇷🇦🇹 🛡️ 2 months ago

↩ replying to Sal Castanedo

Let's not jump to conclusions without an official statement. The email address can leak via other channels as well from an Internet connected device...

Alby 🛡️ 2 months ago

↩ replying to ⚡ Dee Kay ⚡🇸🇪🇬🇧🇨🇿🇧🇷🇦🇹

That was a failure. Good that you already used a dedicated address. Let us know if we can improve other things:

👤 Alby Accounts - 💡 Request a Feature | Alby

HadaikumLN 2 months ago

Thanks to the email I’ve realized that custom self hosted @ addresses are now very expansive 😢

Alby 🛡️ 2 months ago

↩ replying to HadaikumLN

with custom self hosted @ address you mean using your own domain? That's possible and free:

Use your own domain as lightning address | Alby Account | Alby Guides

How to use your Alby lightning address with own domain?

HadaikumLN 2 months ago

↩ replying to Alby

Thank you 🙏

hasky 2 months ago

My friend send transfer 1000$ to her Alby hub and she expect received soon . Been 2 days .

Alby 🛡️ 2 months ago

↩ replying to hasky

Please ask her to reach out via support.getalby.com so that we can check what exactly happened.

hasky 2 months ago

↩ replying to Alby

I think she will received it’s just this is the first time so she will wait til 3 days . You guys mentioned this on your website . It will take 2-3 working days if I am not mistaken . Right ?

Alby 🛡️ 2 months ago

↩ replying to hasky

Lightning payments are instant. Fiat payments related to one of the integrated exchange providers depend on there terms of service.

hasky 2 months ago

↩ replying to Alby

She has alby cloud pro hub , when she wants to top up her bitcoin , she need to buy bitcoin and through the third payment system like Mt. pelerin .. is it not right ? This is not transfer from lightning to lightning payment ..? Don’t you not know this ?

Alby 🛡️ 2 months ago

↩ replying to hasky

Good to know that she used Mt.Pelerin. If she did KYC, she should receive it on the same day depending on the payment method she used. If she didn't do KYC, she needs to wait 7 days. That's Mt.Pelerin's policy to ensure they are not scammed.

Piotr 2 months ago

I've read something about failure but all I can see is responsible and honest approach. View quoted note →

GeneBean 🛡️ 2 months ago

Hey @Alby - please allow passkey login. My account shouldn’t be constrained solely by email. Email is not a suitable 2FA method. Username + password + TOTP or email token + TOTP are good, but Passkey is better because it requires a device you possess already and doesn’t rely on email that’s phishable. I’ve seen other sites go further and require TOTP after a Passkey too, fwiw. Point being, give uses the option for real 2FA decoupled from email.

Alby 🛡️ 2 months ago

↩ replying to GeneBean

Thanks for your feedback Gene and sorry for the mistake. Could you add your ideas to our feedback board then we can prioritize it:

👤 Alby Accounts - 💡 Request a Feature | Alby

GeneBean 🛡️ 2 months ago

↩ replying to Alby

Done!

Passkeys and/or TOTP, aka real 2FA that isn’t tied to email | 👤 Alby Accounts - 💡 Request a Feature | Alby

Please allow passkey login. My account shouldn’t be constrained solely by email. Email is not a suitable 2FA method. Username + ...

npub1hum9...2dlz 2 months ago

Confirmed, I was also affected by this. Thought it was odd. But don’t use Alby for much so just shrugged it off, thanks for the info!

Cameri🐦‍🔥 2 months ago

Thank you for the update! I changed my email and disabled password logins as well when I got the password reset request email! Would prefer using TOTP with an Authenticator instead of email though but I couldn’t find that in the settings.

Alby 🛡️ 2 months ago

↩ replying to Cameri🐦‍🔥

Thanks for acting and sorry again. Could you upvote or add other features to our feedback board?

👤 Alby Accounts - 💡 Request a Feature | Alby

Avarus Okami 🛡️ 2 months ago

Websites really need to stop using email as an authentication method. There are better options that preserve privacy.

crany 👽🧡🗿 🛡️ 2 months ago

when time sync MFA?

ben 🛡️ 2 months ago

this password reset feels like the tip of an iceberg. leaking emails on reset? credential stuffing? this is basic stuff in auth, which brings my to my next point: this screams a homerolled auth system by someone with little experience or a lapse in judgment. id bet the former. wonder what else you’d fine if you looked around. good time to double check those cookie settings and maybe google “owasp top 10” View quoted note →

Parallel Structures 2 months ago

If the service wasn't already shitty enough. Charging way too much money and the service is crap. Can't even talk to a person without paying. Now they leaked my personal data. Great. Thanks for nothing

Moritz 🛡️ 2 months ago

↩ replying to Parallel Structures

If you really want you can get in touch with Alby anytime using the chat widget on support.getalby.com and I bet you'll receive a reply within 12 hours from a human, not a bot.

NoStrFromObject 2 months ago

accounts? where we are going we wont need accounts. #NDN

Lurisi 2 months ago

2FA would be nice ⚡️

Alby 🛡️ 2 months ago

↩ replying to Lurisi

Thanks for your feedback. If you could upvote and leave add other ideas here:

Offer 2FA for account login | 👤 Alby Accounts - 💡 Request a Feature | Alby

.. as an additional security mechanism for my Alby account.

That would be great.

Lurisi 2 months ago

↩ replying to Alby

Done ⚡️

JoePie 2 months ago

@ZEUS coming in with the steel chair. 💪

₿rad 2 months ago

I actually noticed a request from my email to reset my password that happened yesterday and I just happened to try and reset it today and noticed it while i was searching my inbox.

Alby 🛡️ 2 months ago

↩ replying to ₿rad

Let us know, if we can help anytime: support.getalby.com

Notoshi⚡ 2 months ago

please allow passkey

Alby 🛡️ 2 months ago

↩ replying to Notoshi⚡

Thanks for the feedback.

Susana Chicoria 2 months ago

I have already canceled my subscription a few weeks ago … Any advice on how to manage this.

chriso 🛡️ 1 month ago

@bevo