Replies (60)
This isn't really a very good explanation. We get that mistakes can happen, but this could have been extremely bad.
It sucks, but at least they own it.
So what can you dol
How come the ‘from’ address is a @getalby.com email? Did they break into your server?
Please note: only Alby Accounts use email-based login. Alby Hub, the Alby Browser Extension, and Alby Go are not affected.
Reset password email will come from alby since it was requested from their website.
Thank you for the transparency.
Just a note, my alby login email address has only ever been used wirh alby so it couldn't have come from another data leak.
Same situation here
We've seen many attacks where it seemed attackers have used emails + passwords from different breaches. If you want get a picture of which breaches your email was included in:
Have I Been Pwned
Have I Been Pwned: Check if your email address has been exposed in a data breach
Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.
However, we also recognize that Alby emails could have been exposed through the reset password system as mentioned already in this announcement and we have made the necessary changes to ensure affected users are not at risk of losing their funds.
Nostr keys are saved locally and encrypted in the Alby Extension and are not affected in any way. Please contact Alby support and we can see if there's any way you are able to recover your lost primal account.
They don't break any server, by using your public alby address in nostr, they just requested a password reset. This is not scam email, it's real email from Alby. The hack consists of that they can get your email from your Alby address, but to do so they have to trigger password reset. Everything is pretty safe, don't worry. Just make sure use strong passwords and have in mind for any incoming emails with email address connected to Alby account
Thanks to the email I’ve realized that custom self hosted @ addresses are now very expansive 😢
that's correct. and we're very sorry this happened. we couldn't filter all requests and reset emails have been requested.
that email can be ignored and for additional security we now also enforce login with an one time token.
It's definitely unpleasant that it happened. But one must be careful on the internet. I personally, using tools to check for data leaks, have seen emails leaked from other much bigger companies and software. That's why personal culture regarding cybersecurity is an important thing. I'm also 99% sure that a large part of these emails have already been leaked somewhere else. That's why it's good to use email masking services.
My friend send transfer 1000$ to her Alby hub and she expect received soon . Been 2 days .
yes, many requests we see originate from emails that also don't have accounts with Alby. There are many brute force attacks out there in the wild internet sadly.
Using alias email addresses like the ones proton offers is encouraged.
Good you informed this
Please ask her to reach out via support.getalby.com so that we can check what exactly happened.
aren't this economic valid requests because they are technically possible and filters dont work?!🎉🤔😎
I think she will received it’s just this is the first time so she will wait til 3 days . You guys mentioned this on your website . It will take 2-3 working days if I am not mistaken .
Right ?
Thank you 🙏
Lightning payments are instant. Fiat payments related to one of the integrated exchange providers depend on there terms of service.
She has alby cloud pro hub , when she wants to top up her bitcoin , she need to buy bitcoin and through the third payment system like Mt. pelerin .. is it not right ? This is not transfer from lightning to lightning payment ..?
Don’t you not know this ?
I've read something about failure but all I can see is responsible and honest approach.
View quoted note →Hey
@Alby - please allow passkey login. My account shouldn’t be constrained solely by email. Email is not a suitable 2FA method. Username + password + TOTP or email token + TOTP are good, but Passkey is better because it requires a device you possess already and doesn’t rely on email that’s phishable. I’ve seen other sites go further and require TOTP after a Passkey too, fwiw. Point being, give uses the option for real 2FA decoupled from email.
Confirmed, I was also affected by this. Thought it was odd. But don’t use Alby for much so just shrugged it off, thanks for the info!
Same
Same here
Thank you for the update!
I changed my email and disabled password logins as well when I got the password reset request email!
Would prefer using TOTP with an Authenticator instead of email though but I couldn’t find that in the settings.
You used the word too too, I will block you now.
They said password requests were also made against lightning address which is public information.
That shouldn’t be possible going forward 🙏
Yep - good to see it's fixed. Thanks
@Alby for quick turnaround
I want to point out I saw this posted on NOSTR yesterday which was pretty instant and the fact a thread of people calling out to Alby for information worked so well... And alby gets back to us with nostr... Its just so great to see!
In this case are you guys going to change account email if your reset was triggered by lightning address?
Did you change it so emails are no longer leaked in this fashion?
I just checked HIBP for the email I used with Alby and it shows up in 0 data breaches, so my email was definitely leaked via the password reset mechanism on your site.
I’m not stressing about that too much, but you should be careful about deflecting too much blame.
Websites really need to stop using email as an authentication method. There are better options that preserve privacy.
when time sync MFA?
I changed mine cause I don’t just have one email address.
The transparency is a good start, but you haven't covered the case where a) an unique email address was used that only Alby had and b) wasn't used as lightning address visible anywhere publicly
this password reset feels like the tip of an iceberg.
leaking emails on reset? credential stuffing?
this is basic stuff in auth, which brings my to my next point: this screams a homerolled auth system by someone with little experience or a lapse in judgment. id bet the former. wonder what else you’d fine if you looked around. good time to double check those cookie settings and maybe google “owasp top 10”
View quoted note →If the service wasn't already shitty enough. Charging way too much money and the service is crap. Can't even talk to a person without paying. Now they leaked my personal data. Great. Thanks for nothing
accounts? where we are going we wont need accounts. #NDN
Email alias for the win
I didn't have a public lightning address. My account email address was only known by Alby
Same here, I realized it was a data breach as the email address I used for Alby was made only for that.
🫡
Gotcha Sir. good point
Let's not jump to conclusions without an official statement.
The email address can leak via other channels as well from an Internet connected device...
This concisely explains it, thank you .
I actually noticed a request from my email to reset my password that happened yesterday and I just happened to try and reset it today and noticed it while i was searching my inbox.
please allow passkey
If you really want you can get in touch with Alby anytime using the chat widget on support.getalby.com and I bet you'll receive a reply within 12 hours from a human, not a bot.
Thanks for your feedback Gene and sorry for the mistake.
Could you add your ideas to our feedback board then we can prioritize it:
👤 Alby Accounts - 💡 Request a Feature | Alby
That was a failure. Good that you already used a dedicated address.
Let us know if we can improve other things:
👤 Alby Accounts - 💡 Request a Feature | Alby
Done ⚡️
I came home and I was surprisingly log out, when I tried and connect my keys were not recognised so I lost access to it , including my primal account.
I uninstall the extension but I’m still getting emails and paying ?!
@bevo
