The section quoted below is poorly worded. The feature was improperly designed/deployed if it exposed the email in the browser that the password reset was sent to. But thank you for the quick disclosure.
Perhaps use this as a teaching moment on #nostr responsible disclosure of #security issues from the community. Incentivize it with a Bitcoin bug bounty in the future.
Alby is still a fundamentally valuable service for me personally.
" ... publicly exposed by their owner.
Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker.
