Replying to Avatar Alby

Overnight we have received notices of some unusual requests to our infrastructure.

Over a short period of time many password reset emails had been requested from various residential proxies around the world. Our rate limiting protects against spamming attacks but requests got through to request password reset emails.

Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed by their owner.

Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker.

**We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email can ignore the email.**

As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from some data leaks we have fully disabled password logins and require all users to login with the one time token. This adds an another layer of security.

Additionally we also offer the option to login with Google.

If you have questions or feedback, please let us know: support.getalby.com
Avatar
Keysa - Simplest Bitcoin Edu 2mo ago πŸ’¬ 3

How come the β€˜from’ address is a @getalby.com email? Did they break into your server?

Reply to this note

Please Login to reply.

Discussion

Avatar
⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή 2mo ago

Reset password email will come from alby since it was requested from their website.

Avatar
Dimitar Manovski 2mo ago πŸ’¬ 2

They don't break any server, by using your public alby address in nostr, they just requested a password reset. This is not scam email, it's real email from Alby. The hack consists of that they can get your email from your Alby address, but to do so they have to trigger password reset. Everything is pretty safe, don't worry. Just make sure use strong passwords and have in mind for any incoming emails with email address connected to Alby account

Avatar
bumi 2mo ago πŸ’¬ 1

that's correct. and we're very sorry this happened. we couldn't filter all requests and reset emails have been requested.

that email can be ignored and for additional security we now also enforce login with an one time token.

Avatar
Dimitar Manovski 2mo ago πŸ’¬ 1

It's definitely unpleasant that it happened. But one must be careful on the internet. I personally, using tools to check for data leaks, have seen emails leaked from other much bigger companies and software. That's why personal culture regarding cybersecurity is an important thing. I'm also 99% sure that a large part of these emails have already been leaked somewhere else. That's why it's good to use email masking services.

Avatar
bumi 2mo ago

yes, many requests we see originate from emails that also don't have accounts with Alby. There are many brute force attacks out there in the wild internet sadly.

Using alias email addresses like the ones proton offers is encouraged.

Avatar
⚑ Dee Kay βš‘πŸ‡ΈπŸ‡ͺπŸ‡¬πŸ‡§πŸ‡¨πŸ‡ΏπŸ‡§πŸ‡·πŸ‡¦πŸ‡Ή 2mo ago

The transparency is a good start, but you haven't covered the case where a) an unique email address was used that only Alby had and b) wasn't used as lightning address visible anywhere publicly