Hey, I don't think there is much else you could or should have done. You could have directly contacted us as we have direct communication channels open but likely by that time it was already worked on. Thanks for raising the warning and caring. Problem for sure was that we allowed people to enter lightning addresses - for which we sadly had a lot of support requests. So an email address could be exposed for a known lightning address.

At the same time lots of requests have been sent with emails from some leaks (where no account exists) - that's always the case on the evil internet...

Each of those request came from a different residential IP address (we have strict rate limits but the firewall did not catch all).

We'll remove password logins those are too often a source of such problems.

no account was at risk, Alby Hub and the Extension are anyway unaffected.