Replying to Avatar ⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή

Just a note, my alby login email address has only ever been used wirh alby so it couldn't have come from another data leak.

nostr:nevent1qqswh5upmuma0h89vdnh7pnk6ap637xg0mtt0k32hwaxrxm98vuv28cpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygzx2l0739jmazvq4yc8908mtev6v5fygpkmp7qey90w0zay0y6t8cpsgqqqqqqsdl99uv

Avatar
mike 2mo ago

I regularly get Alby password reset emails from spam accounts going to my spam accounts.

It's noise.

Reply to this note

Please Login to reply.

Discussion

Avatar
⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή 2mo ago

This is a separate issue Mike

1. The email was sent from alby so a person/bot must have used the official alby reset password form

2. My account that the reset password was used for is using an email address that is unique to alby, no other service has seen it.

Avatar
bumi 2mo ago

The password reset email could be requested with an email and attackers use leaked emails from lists recorded in for example haveibeenpwned.

Sadly in the Alby case the password reset email could also be requested with the lightning address which is likely what happened to you. Some attacker got the lightning address from nostr for example to do this.

We have disabled this now.

Avatar
⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή 2mo ago

The email address used for this account is only used for Alby. Not reported as leaked.

Not used as my lightning address.

Avatar
christopher 2mo ago

This is slightly more clarifying than the official announcement. You’re saying that if anyone had tried a password reset with a lightning address (for most of your users, that would be their getalby address), you would send the reset email to the real email address on file? But now you’ve disabled that behavior?

Avatar
bumi 2mo ago

yes. and the lighting address is often publicly posted on nostr.

Avatar
christopher 2mo ago

That makes sense (and accepting lightning addresses for password resets might have seemed like a reasonable feature, comparable to usernames).

I might suggest a clarification on the official announcement:

β€œPassword request emails also have been requested for lightning addresses which falsely exposed the user's email address”

The phrase β€œfalsely exposed” sounds alarming, but I think you mean that users might β€œfalsely” conclude their email was leaked from Alby, not realizing that their lightning address could have been used to kick off the password reset.

Or am I misreading β€œfalsely exposed” here?

Avatar
⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή 2mo ago

You cannot login or request password request using the randomly assigned lightning address (which I had).

My account login email address was only known by Alby.

Avatar
christopher 2mo ago

ok, according to another user, the password reset screen *did* reveal the underlying email address for a lightning address. not good!

Avatar
⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή 2mo ago

That would explain things and wouldn't be the worst scenario to be honest πŸ‘

f8
f8e499c2... 1w ago

today (29.12.25) i received an email from crypto.com – a service i never registered for. iβ€˜m an alby user. i suspect this leak to be the culprit.

Avatar
mike 2mo ago

I'm not sure it is a separate issue, but I'll butt out πŸ˜‚

Check the SPF field in the mail header to authenticate its originator.

Avatar
⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή 2mo ago

Not Spam. Sent from alby

Avatar
mike 2mo ago

I don't think you quite understand what I'm saying πŸ˜‚

But that's OK. Enjoy your day.

Avatar
⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή 2mo ago

i=1 spf=pass spfdomain=pm-bounces.getalby.com dkim=pass dkdomain=pm.mtasv.net dkim=pass dkdomain=getalby.com dmarc=pass fromdomain=getalby.com);