I'm glad that this personal attack on me raised awareness to try to fix the vulnerability before others lose their funds..
Pity that I had to lose both my money and my hope for the community for it to happen...
Hey Francis, we’re really sorry this happened.
In this case, the Umbrel setup was reachable publicly on the clearnet, so it could be accessed from the outside. At the same time Alby Hub had also been installed but the setup wasn’t finished yet. Since the unlock password is created during that setup flow, no password had been set at the time which allowed the attacker to finish the setup and change the Alby Hub configuration.
We’ve submitted a PR to Umbrel to add an extra authentication layer to require the umbrel password to access alby hub. https://github.com/getumbrel/umbrel-apps/pull/4028
It is sad that people from the community attack such projects. Projects that create awesome things for the community and push the adoption of bitcoin. Projects that work for the benefit of all of us and not for their own profit.
We call on the attacker to return the funds!
