This isn't really a very good explanation. We get that mistakes can happen, but this could have been extremely bad.

How come the ‘from’ address is a @getalby.com email? Did they break into your server?

Please note: only Alby Accounts use email-based login. Alby Hub, the Alby Browser Extension, and Alby Go are not affected.

Thank you for the transparency.

Just a note, my alby login email address has only ever been used wirh alby so it couldn't have come from another data leak.

You wanna talk security and you add the word GOOGLE 🤦🏻‍♂️🤦🏻‍♂️. I will never use Alby.

Confirmed. I have a request to reset my password and I’m not subscribed anymore after having my keys surprisingly changed and lost access to one of my primal accounts.

Thanks to the email I’ve realized that custom self hosted @ addresses are now very expansive 😢

My friend send transfer 1000$ to her Alby hub and she expect received soon . Been 2 days .

I've read something about failure but all I can see is responsible and honest approach.

nostr:nevent1qqswh5upmuma0h89vdnh7pnk6ap637xg0mtt0k32hwaxrxm98vuv28cpzemhxue69uhhyetvv9ujuurjd9kkzmpwdejhgq3qgetal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlqxpqqqqqqzg0llc3

Hey nostr:nprofile1qqsyv47lazt9h6ycp2fsw270khje5egjgsrdkrupjg27u796g7f5k0spremhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet59uq3xamnwvaz7tmsw4e8qmr9wpskwtn9wvhsdymxeg - please allow passkey login. My account shouldn’t be constrained solely by email. Email is not a suitable 2FA method. Username + password + TOTP or email token + TOTP are good, but Passkey is better because it requires a device you possess already and doesn’t rely on email that’s phishable. I’ve seen other sites go further and require TOTP after a Passkey too, fwiw. Point being, give uses the option for real 2FA decoupled from email.

Confirmed, I was also affected by this. Thought it was odd. But don’t use Alby for much so just shrugged it off, thanks for the info!

Thank you for the update!

I changed my email and disabled password logins as well when I got the password reset request email!

Would prefer using TOTP with an Authenticator instead of email though but I couldn’t find that in the settings.

“Hide My Email” is probably one of my favorite iOS features.

Websites really need to stop using email as an authentication method. There are better options that preserve privacy.

when time sync MFA?

For info, the email resets received on our side were set up specifically for internal testing and never shared anywhere

Good luck with the investigation and thanks for the transparency! Hope we can all learn something.

this password reset feels like the tip of an iceberg.

leaking emails on reset? credential stuffing?

this is basic stuff in auth, which brings my to my next point: this screams a homerolled auth system by someone with little experience or a lapse in judgment. id bet the former. wonder what else you’d fine if you looked around. good time to double check those cookie settings and maybe google “owasp top 10”

nostr:nevent1qqswh5upmuma0h89vdnh7pnk6ap637xg0mtt0k32hwaxrxm98vuv28cpzemhxue69uhhyetvv9ujuurjd9kkzmpwdejhg0f4n4v

If the service wasn't already shitty enough. Charging way too much money and the service is crap. Can't even talk to a person without paying. Now they leaked my personal data. Great. Thanks for nothing

accounts? where we are going we wont need accounts. #NDN

2FA would be nice ⚡️

nostr:nprofile1qqsrf5h4ya83jk8u6t9jgc76h6kalz3plp9vusjpm2ygqgalqhxgp9gpzemhxue69uhkzarvv9ejumn0wd68ytnvv9hxgqgkwaehxw309a3xjarrda5kuetj9eek7cmfv9kqs6xl8h coming in with the steel chair. 💪

I actually noticed a request from my email to reset my password that happened yesterday and I just happened to try and reset it today and noticed it while i was searching my inbox.

please allow passkey

I have already canceled my subscription a few weeks ago …

Any advice on how to manage this.

@bevo