Avatar
โšก Dee Kay โšก๐Ÿ‡ธ๐Ÿ‡ช๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡จ๐Ÿ‡ฟ๐Ÿ‡ง๐Ÿ‡ท๐Ÿ‡ฆ๐Ÿ‡น 2mo ago

Just a note, my alby login email address has only ever been used wirh alby so it couldn't have come from another data leak.

nostr:nevent1qqswh5upmuma0h89vdnh7pnk6ap637xg0mtt0k32hwaxrxm98vuv28cpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygzx2l0739jmazvq4yc8908mtev6v5fygpkmp7qey90w0zay0y6t8cpsgqqqqqqsdl99uv

Reply to this note

Please Login to reply.

Discussion

Avatar
d0enakalle๐Ÿ‡โšก 2mo ago

I could narrow my email down to make one or two other services. ๐Ÿคทโ€โ™‚๏ธ

Avatar
d0enakalle๐Ÿ‡โšก 2mo ago

maybe one or two*

Avatar
mike 2mo ago

I regularly get Alby password reset emails from spam accounts going to my spam accounts.

It's noise.

Avatar
โšก Dee Kay โšก๐Ÿ‡ธ๐Ÿ‡ช๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡จ๐Ÿ‡ฟ๐Ÿ‡ง๐Ÿ‡ท๐Ÿ‡ฆ๐Ÿ‡น 2mo ago

This is a separate issue Mike

1. The email was sent from alby so a person/bot must have used the official alby reset password form

2. My account that the reset password was used for is using an email address that is unique to alby, no other service has seen it.

Avatar
bumi 2mo ago

The password reset email could be requested with an email and attackers use leaked emails from lists recorded in for example haveibeenpwned.

Sadly in the Alby case the password reset email could also be requested with the lightning address which is likely what happened to you. Some attacker got the lightning address from nostr for example to do this.

We have disabled this now.

Avatar
โšก Dee Kay โšก๐Ÿ‡ธ๐Ÿ‡ช๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡จ๐Ÿ‡ฟ๐Ÿ‡ง๐Ÿ‡ท๐Ÿ‡ฆ๐Ÿ‡น 2mo ago

The email address used for this account is only used for Alby. Not reported as leaked.

Not used as my lightning address.

Avatar
christopher 2mo ago

This is slightly more clarifying than the official announcement. Youโ€™re saying that if anyone had tried a password reset with a lightning address (for most of your users, that would be their getalby address), you would send the reset email to the real email address on file? But now youโ€™ve disabled that behavior?

Avatar
bumi 2mo ago

yes. and the lighting address is often publicly posted on nostr.

Avatar
christopher 2mo ago

That makes sense (and accepting lightning addresses for password resets might have seemed like a reasonable feature, comparable to usernames).

I might suggest a clarification on the official announcement:

โ€œPassword request emails also have been requested for lightning addresses which falsely exposed the user's email addressโ€

The phrase โ€œfalsely exposedโ€ sounds alarming, but I think you mean that users might โ€œfalselyโ€ conclude their email was leaked from Alby, not realizing that their lightning address could have been used to kick off the password reset.

Or am I misreading โ€œfalsely exposedโ€ here?

Avatar
โšก Dee Kay โšก๐Ÿ‡ธ๐Ÿ‡ช๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡จ๐Ÿ‡ฟ๐Ÿ‡ง๐Ÿ‡ท๐Ÿ‡ฆ๐Ÿ‡น 2mo ago

You cannot login or request password request using the randomly assigned lightning address (which I had).

My account login email address was only known by Alby.

Avatar
christopher 2mo ago

ok, according to another user, the password reset screen *did* reveal the underlying email address for a lightning address. not good!

Avatar
โšก Dee Kay โšก๐Ÿ‡ธ๐Ÿ‡ช๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡จ๐Ÿ‡ฟ๐Ÿ‡ง๐Ÿ‡ท๐Ÿ‡ฆ๐Ÿ‡น 2mo ago

That would explain things and wouldn't be the worst scenario to be honest ๐Ÿ‘

f8
f8e499c2... 2w ago

today (29.12.25) i received an email from crypto.com โ€“ a service i never registered for. iโ€˜m an alby user. i suspect this leak to be the culprit.

Avatar
mike 2mo ago

I'm not sure it is a separate issue, but I'll butt out ๐Ÿ˜‚

Check the SPF field in the mail header to authenticate its originator.

Avatar
โšก Dee Kay โšก๐Ÿ‡ธ๐Ÿ‡ช๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡จ๐Ÿ‡ฟ๐Ÿ‡ง๐Ÿ‡ท๐Ÿ‡ฆ๐Ÿ‡น 2mo ago

Not Spam. Sent from alby

Avatar
mike 2mo ago

I don't think you quite understand what I'm saying ๐Ÿ˜‚

But that's OK. Enjoy your day.

Avatar
โšก Dee Kay โšก๐Ÿ‡ธ๐Ÿ‡ช๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡จ๐Ÿ‡ฟ๐Ÿ‡ง๐Ÿ‡ท๐Ÿ‡ฆ๐Ÿ‡น 2mo ago

i=1 spf=pass spfdomain=pm-bounces.getalby.com dkim=pass dkdomain=pm.mtasv.net dkim=pass dkdomain=getalby.com dmarc=pass fromdomain=getalby.com);