Update on the nostr:npub1getal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlqr80nfm attack:
⚠️ IT’S WORSE THAN I THOUGHT! ⚠️
What I believe is happening is someone is using the public Lightning addresses from Nostr profiles to doxx everyone’s registered email address on Alby.
By simply entering a valid Alby address, the login page LEAKS the corresponding email address.
This means that the purpose of the attack is not so much to breach your Alby account, it’s to collect emails of Alby users for future phishing attacks.
Responsible disclosure matters and this is not the way to do it…
I have already PMed nostr:npub1xv8mzscll8vvy5rsdw7dcqtd2j268a6yupr6gzqh86f2ulhy9kkqmclk3x.
While there is urgency for people to change their emails to a throwaway, you should not be disclosing how/why it works.
We don’t need 1000 people with access to the e-mails instead of 1. Attackers are usually faster than users/devs too.
I understand why you feel that way, but after seeing every one of my multiple Lightning address emails receive a reset message, I believe the damage has already been done.
