Thread

Overnight we have received notices of some unusual requests to our infrastructure. Over a short period of time many password reset emails had been requested from various residential proxies around the world. Our rate limiting protects against spamming attacks but requests got through to request password reset emails. Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed by their owner. Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker. **We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email can ignore the email.** As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from some data leaks we have fully disabled password logins and require all users to login with the one time token. This adds an another layer of security. Additionally we also offer the option to login with Google. If you have questions or feedback, please let us know: support.getalby.com

Replies (52)

↩ replying to Susana Chicoria
Hey Susana, the Alby Browser Extension is open-source. You can check all changes and verify that there was no update that could have caused such a behavior:
GitHub
GitHub - getAlby/lightning-browser-extension: The Bitcoin Lightning Browser Extension that brings deep Lightning & Nostr integration to the web. Wallet interface to multiple lightning nodes and key signer for Nostr, Liquid and onchain use.
The Bitcoin Lightning Browser Extension that brings deep Lightning & Nostr integration to the web. Wallet interface to multiple lightning nodes...
Hey @Alby - please allow passkey login. My account shouldn’t be constrained solely by email. Email is not a suitable 2FA method. Username + password + TOTP or email token + TOTP are good, but Passkey is better because it requires a device you possess already and doesn’t rely on email that’s phishable. I’ve seen other sites go further and require TOTP after a Passkey too, fwiw. Point being, give uses the option for real 2FA decoupled from email.
this password reset feels like the tip of an iceberg. leaking emails on reset? credential stuffing? this is basic stuff in auth, which brings my to my next point: this screams a homerolled auth system by someone with little experience or a lapse in judgment. id bet the former. wonder what else you’d fine if you looked around. good time to double check those cookie settings and maybe google β€œowasp top 10” View quoted note β†’