This is a separate issue Mike
1. The email was sent from alby so a person/bot must have used the official alby reset password form
2. My account that the reset password was used for is using an email address that is unique to alby, no other service has seen it.
The password reset email could be requested with an email and attackers use leaked emails from lists recorded in for example haveibeenpwned.
Sadly in the Alby case the password reset email could also be requested with the lightning address which is likely what happened to you. Some attacker got the lightning address from nostr for example to do this.
We have disabled this now.
The email address used for this account is only used for Alby. Not reported as leaked.
Not used as my lightning address.
This is slightly more clarifying than the official announcement. Youโre saying that if anyone had tried a password reset with a lightning address (for most of your users, that would be their getalby address), you would send the reset email to the real email address on file? But now youโve disabled that behavior?
yes. and the lighting address is often publicly posted on nostr.
That makes sense (and accepting lightning addresses for password resets might have seemed like a reasonable feature, comparable to usernames).
I might suggest a clarification on the official announcement:
โPassword request emails also have been requested for lightning addresses which falsely exposed the user's email addressโ
The phrase โfalsely exposedโ sounds alarming, but I think you mean that users might โfalselyโ conclude their email was leaked from Alby, not realizing that their lightning address could have been used to kick off the password reset.
Or am I misreading โfalsely exposedโ here?
You cannot login or request password request using the randomly assigned lightning address (which I had).
My account login email address was only known by Alby.
I'm not sure it is a separate issue, but I'll butt out ๐
Check the SPF field in the mail header to authenticate its originator.
