Well looking at the STAR-#, they are exactly the same as nostr's NIPs. STAR-07 even mentions nostr. Not sure if that's intentional or a mistake.

Fun fact: when you receive a kidney, they don't remove the old ones. If you receive and it gets rejected, you will receive another one and the rejected kidney remains in place. You can get up to 8 kidneys. 🫘

Another covert ad for nostr and decentralization

Overnight we have received notices of some unusual requests to our infrastructure.

Over a short period of time many password reset emails had been requested from various residential proxies around the world. Our rate limiting protects against spamming attacks but requests got through to request password reset emails.

Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed by their owner.

Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker.

**We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email can ignore the email.**

As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from some data leaks we have fully disabled password logins and require all users to login with the one time token. This adds an another layer of security.

Additionally we also offer the option to login with Google.

If you have questions or feedback, please let us know: support.getalby.com

Good morning. ☀

Late last night I acted quickly to alert Nostr when I realized many of us were under a targeted attack. I have received some criticism for exposing the method that was used to reveal thousands of email addresses from Alby’s user database.

I realize could have handled it differently, but I did what I believed at the moment to be the best interest of disclosure to help others. From what I could tell, the majority of damage had already been done.

The email/password login feature has since been disabled, but anyone who already received an unexpected password reset should consider their email address doxxed.

I do not believe there are any further risks. If you are using the browser extension, your nsec was not exposed by this, because that information never left your possession. This was simply a scrape of Nostr Lightning addresses used to exploit a vulnerability in a login function.

There is a lot to be learned from this by everyone.