That sucks. Never used Alby.

😂

Nice one, nostr:npub1getal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlqr80nfm . Come on, basics of privacy and security and you failed them. WTF?

I got a ‘reset your password’ email that I never requested today 👀

Is my nsec safe ?

Responsible disclosure matters and this is not the way to do it…

I have already PMed nostr:npub1xv8mzscll8vvy5rsdw7dcqtd2j268a6yupr6gzqh86f2ulhy9kkqmclk3x.

While there is urgency for people to change their emails to a throwaway, you should not be disclosing how/why it works.

We don’t need 1000 people with access to the e-mails instead of 1. Attackers are usually faster than users/devs too.

I wonder if the emails they send will end up in the phishing folder.

Shit.. I received the password reset mail too

Does anyone really sign up using a real (daily use / KYCed) email address??

Just asking for some friends.

Exactly ! Got a password change request but changed my LN provider a while ago. So old infos are going round …..

If they ask for an email they ask for a unique identifier, when they don't need one.

Don't support data hoarders my friends.

Support those underground projects that give you access to everything over onion or i2p.

this is why i never used my actual email address and use aliases for everything. email gets put on some list? cool, delete the alias and move on.

Just in case you received the Alby password reset email and had no idea why 👇🏼

nostr:nevent1qqsvhyplfrul5zzgd5hp7my40h8julwfaazllsp2xefu9xn8avxs5acyatwxa

My LN address and Alby email are not the same and still got a password reset request

Bitcoin fixes this

https://njump.me/nevent1qvzqqqqqqypzq3jhml5fvklgnq9fxpete767txn9zfzqdkc0sxfptmnchfrexje7qythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0qyfhwumn8ghj7ur4wfcxcetsv9njuetn9uqzp67ns80n047uu43kwlcxwmt5828ceplddd7692am5cvmv5an33gls2vw6v

-------------------------------------------------

Privacy and Other Related Stuff

-------------------------------------------------

Keep private.

1️⃣Use email alias forever on each service

2️⃣Use 2FA - not sms - whenever possible

3️⃣Delete all services that you dont use

4️⃣Encrypt everything.

No busques la perfección.

Una acción cada vez y mejorar cada día.

-------------------------------

End of transmission

-------------------------------

nostr:nevent1qqsvhyplfrul5zzgd5hp7my40h8julwfaazllsp2xefu9xn8avxs5acpzpmhxue69uhkummnw3ezumt0d5hsyg8wd6sn4w07t39x36hekx35lcq55e45qytu2rhz5c20fndftxmwwspsgqqqqqqszwt56l

I will never use a service that offers to use Google to log in.

Yup. That happened to me, I lost access to one of my accounts.

I unsubscribed Alby and I just had this email from Alby today…..

Holy forking shirt!!!!

Recommendations?

This is why I run my own node hardware 🥲

If a wallet asks for any information, it's an absolute no for me, dawg.

It was scary morning tho 🥹🥹

I started panicking a bit.

I guess it's time for email aliases clean up xd

Update:

nostr:note16nu3n3asyqgl2mdplywmcqjfvw3akcyq99z4vrfv2px6rsjmt47s5fkv74

Received a bunch of these emails to reset alby recently, including for old abandoned/test accounts. I was getting suspicious.

Thank you! I removed my alby address from my Nostr profile for now

FWIW - email from Alby Support:

Overnight we have received notices of some unusual requests to our infrastructure. Over a short period of time many password reset emails had been requested from various residential proxies around the world. Our rate limiting protects against spamming attacks but requests got through to request password reset emails.

Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed by their owner. Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker.

We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email can ignore the email.

As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from some data leaks we have fully disabled password logins and require all users to login with the one time token. This adds an another layer of security. Additionally we also offer the option to login with Google.

Please note: only Alby Accounts use email-based login. Alby Hub, the Alby Browser Extension, and Alby Go are not affected.

my email has been leaked many times. You can search your email in have I been pawned website and it shows you all the leaks.

I'm not worried, I get phishing emails all the time. They go straight to my spam folder

HOLY SHIT, WHAT A MESS 🤑

👇

nostr:nevent1qqsvhyplfrul5zzgd5hp7my40h8julwfaazllsp2xefu9xn8avxs5acpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsyg8wd6sn4w07t39x36hekx35lcq55e45qytu2rhz5c20fndftxmwwspsgqqqqqqsv2az42

Thank squid for per account email aliases. Compartmentalization is a big part of security.

Requiring an email address is what has always kept me away.

And no, not going to just spin up a burner email, just not gonna do it.

Stop asking for emails and stop providing them.

dont you like data hoarding and accountitis? leak away. the more the merrier. fuck accounts. and credentials #NDN

nostr:npub1w4rz7n0vunaau499xh86p84s6v5mmgys48p0nmttt7w36takc9dsf4382j

today (29.12.25) i received an email from crypto.com – a service i never registered for. i‘m an alby user. i suspect this leak to be the culprit.