According to Alby the attacker was taking lightning addresses and requesting password resets. This basically dox profiles giving out the email. So the email from Alvby is legitimate. But the attacker now has email addresses associated with Alvby accounts associated with lightning addresses. Public posted to people's nostr accounts etc. More than likely recommended to reset your email, since you probably should have been using an alias if you weren't. They said that Alby Hub and every other service is unaffected and there are no further security issues...