Overnight we have received notices of some unusual requests to our infrastructure.
Over a short period of time many password reset emails had been requested from various residential proxies around the world. Our rate limiting protects against spamming attacks but requests got through to request password reset emails.
Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed by their owner.
Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker.
**We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email can ignore the email.**
As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from some data leaks we have fully disabled password logins and require all users to login with the one time token. This adds an another layer of security.
Additionally we also offer the option to login with Google.
If you have questions or feedback, please let us know: support.getalby.com
