Hey Francis, we’re really sorry this happened.
In this case, the Umbrel setup was reachable publicly on the clearnet, so it could be accessed from the outside. At the same time Alby Hub had also been installed but the setup wasn’t finished yet. Since the unlock password is created during that setup flow, no password had been set at the time which allowed the attacker to finish the setup and change the Alby Hub configuration.
We’ve submitted a PR to Umbrel to add an extra authentication layer to require the umbrel password to access alby hub. https://github.com/getumbrel/umbrel-apps/pull/4028
It is sad that people from the community attack such projects. Projects that create awesome things for the community and push the adoption of bitcoin. Projects that work for the benefit of all of us and not for their own profit.
We call on the attacker to return the funds!
All projects get attacked; be it open-source freedom tech like cashu or alby
the key is to remove any attack surface
nostr:nevent1qqsy66aynuese7y5f43aaqhvulz8g4297gl0v7tk7qcltfxjqtp22cgdwyee4
nostr:nevent1qqsy66aynuese7y5f43aaqhvulz8g4297gl0v7tk7qcltfxjqtp22cgdwyee4
they should use nostr auth, and you set the npub when you install it. the end.
