The password reset email could be requested with an email and attackers use leaked emails from lists recorded in for example haveibeenpwned.
Sadly in the Alby case the password reset email could also be requested with the lightning address which is likely what happened to you. Some attacker got the lightning address from nostr for example to do this.
We have disabled this now.
The email address used for this account is only used for Alby. Not reported as leaked.
Not used as my lightning address.
This is slightly more clarifying than the official announcement. You’re saying that if anyone had tried a password reset with a lightning address (for most of your users, that would be their getalby address), you would send the reset email to the real email address on file? But now you’ve disabled that behavior?
yes. and the lighting address is often publicly posted on nostr.
That makes sense (and accepting lightning addresses for password resets might have seemed like a reasonable feature, comparable to usernames).
I might suggest a clarification on the official announcement:
“Password request emails also have been requested for lightning addresses which falsely exposed the user's email address”
The phrase “falsely exposed” sounds alarming, but I think you mean that users might “falsely” conclude their email was leaked from Alby, not realizing that their lightning address could have been used to kick off the password reset.
Or am I misreading “falsely exposed” here?
You cannot login or request password request using the randomly assigned lightning address (which I had).
My account login email address was only known by Alby.
