That makes sense (and accepting lightning addresses for password resets might have seemed like a reasonable feature, comparable to usernames).

I might suggest a clarification on the official announcement:

“Password request emails also have been requested for lightning addresses which falsely exposed the user's email address”

The phrase “falsely exposed” sounds alarming, but I think you mean that users might “falsely” conclude their email was leaked from Alby, not realizing that their lightning address could have been used to kick off the password reset.

Or am I misreading “falsely exposed” here?