Replying to Avatar Alby

Overnight we have received notices of some unusual requests to our infrastructure.

Over a short period of time many password reset emails had been requested from various residential proxies around the world. Our rate limiting protects against spamming attacks but requests got through to request password reset emails.

Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed by their owner.

Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker.

**We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email can ignore the email.**

As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from some data leaks we have fully disabled password logins and require all users to login with the one time token. This adds an another layer of security.

Additionally we also offer the option to login with Google.

If you have questions or feedback, please let us know: support.getalby.com
Avatar
⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή 2mo ago

Thank you for the transparency.

Just a note, my alby login email address has only ever been used wirh alby so it couldn't have come from another data leak.

Reply to this note

Please Login to reply.

Discussion

Avatar
Sid Shattuck 2mo ago

Same situation here

Avatar
β‚“β‚’bβ‚—β‚’α΅£β‚œ 2mo ago

aren't this economic valid requests because they are technically possible and filters dont work?!πŸŽ‰πŸ€”πŸ˜Ž

Avatar
chrizzz 2mo ago

Same

Avatar
JotaJillo 2mo ago

Same here

Avatar
CameriπŸ¦β€πŸ”₯ 2mo ago

They said password requests were also made against lightning address which is public information.

That shouldn’t be possible going forward πŸ™

Avatar
The BTC Philanthropist 2mo ago

Yep - good to see it's fixed. Thanks nostr:nprofile1qqsyv47lazt9h6ycp2fsw270khje5egjgsrdkrupjg27u796g7f5k0spzamhxue69uhhyetvv9ujuurjd9kkzmpwdejhgtcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhszymhwden5te0wp6hyurvv4cxzeewv4ej7hjm7rj for quick turnaround

I want to point out I saw this posted on NOSTR yesterday which was pretty instant and the fact a thread of people calling out to Alby for information worked so well... And alby gets back to us with nostr... Its just so great to see!

Avatar
The BTC Philanthropist 2mo ago

In this case are you guys going to change account email if your reset was triggered by lightning address?

Avatar
CameriπŸ¦β€πŸ”₯ 2mo ago

I changed mine cause I don’t just have one email address.

Avatar
The BTC Philanthropist 2mo ago

Email alias for the win

Avatar
⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή 2mo ago

I didn't have a public lightning address. My account email address was only known by Alby

Avatar
Sal Castanedo 2mo ago

Same here, I realized it was a data breach as the email address I used for Alby was made only for that.

Avatar
⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή 2mo ago

Let's not jump to conclusions without an official statement.

The email address can leak via other channels as well from an Internet connected device...

Avatar
Alby 2mo ago

That was a failure. Good that you already used a dedicated address.

Let us know if we can improve other things: https://feedback.getalby.com/-alby-accounts-request-a-feature-1