Thread

This isn't really a very good explanation. We get that mistakes can happen, but this could have been extremely bad.

It sucks, but at least they own it. So what can you dol

How come the ‘from’ address is a @getalby.com email? Did they break into your server?

Please note: only Alby Accounts use email-based login. Alby Hub, the Alby Browser Extension, and Alby Go are not affected.

Reset password email will come from alby since it was requested from their website.

Thank you for the transparency. Just a note, my alby login email address has only ever been used wirh alby so it couldn't have come from another data leak.

You wanna talk security and you add the word GOOGLE 🤦🏻‍♂️🤦🏻‍♂️. I will never use Alby.

Same situation here

Confirmed. I have a request to reset my password and I’m not subscribed anymore after having my keys surprisingly changed and lost access to one of my primal accounts.

We've seen many attacks where it seemed attackers have used emails + passwords from different breaches. If you want get a picture of which breaches your email was included in: https://haveibeenpwned.com/ However, we also recognize that Alby emails could have been exposed through the reset password system as mentioned already in this announcement and we have made the necessary changes to ensure affected users are not at risk of losing their funds.

Nostr keys are saved locally and encrypted in the Alby Extension and are not affected in any way. Please contact Alby support and we can see if there's any way you are able to recover your lost primal account.

They don't break any server, by using your public alby address in nostr, they just requested a password reset. This is not scam email, it's real email from Alby. The hack consists of that they can get your email from your Alby address, but to do so they have to trigger password reset. Everything is pretty safe, don't worry. Just make sure use strong passwords and have in mind for any incoming emails with email address connected to Alby account

Thanks to the email I’ve realized that custom self hosted @ addresses are now very expansive 😢

that's correct. and we're very sorry this happened. we couldn't filter all requests and reset emails have been requested. that email can be ignored and for additional security we now also enforce login with an one time token.

It's definitely unpleasant that it happened. But one must be careful on the internet. I personally, using tools to check for data leaks, have seen emails leaked from other much bigger companies and software. That's why personal culture regarding cybersecurity is an important thing. I'm also 99% sure that a large part of these emails have already been leaked somewhere else. That's why it's good to use email masking services.

My friend send transfer 1000$ to her Alby hub and she expect received soon . Been 2 days .

yes, many requests we see originate from emails that also don't have accounts with Alby. There are many brute force attacks out there in the wild internet sadly. Using alias email addresses like the ones proton offers is encouraged.

Good you informed this

Please ask her to reach out via support.getalby.com so that we can check what exactly happened.

Hey Susana, the Alby Browser Extension is open-source. You can check all changes and verify that there was no update that could have caused such a behavior: https://github.com/getAlby/lightning-browser-extension

aren't this economic valid requests because they are technically possible and filters dont work?!🎉🤔😎

I think she will received it’s just this is the first time so she will wait til 3 days . You guys mentioned this on your website . It will take 2-3 working days if I am not mistaken . Right ?

with custom self hosted @ address you mean using your own domain? That's possible and free: https://guides.getalby.com/user-guide/alby-account/customize-your-lightning-address/use-your-own-domain-as-lightning-address

Thank you 🙏

Lightning payments are instant. Fiat payments related to one of the integrated exchange providers depend on there terms of service.

She has alby cloud pro hub , when she wants to top up her bitcoin , she need to buy bitcoin and through the third payment system like Mt. pelerin .. is it not right ? This is not transfer from lightning to lightning payment ..? Don’t you not know this ?

I've read something about failure but all I can see is responsible and honest approach. nostr:nevent1qqswh5upmuma0h89vdnh7pnk6ap637xg0mtt0k32hwaxrxm98vuv28cpzemhxue69uhhyetvv9ujuurjd9kkzmpwdejhgq3qgetal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlqxpqqqqqqzg0llc3

Hey nostr:nprofile1qqsyv47lazt9h6ycp2fsw270khje5egjgsrdkrupjg27u796g7f5k0spremhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet59uq3xamnwvaz7tmsw4e8qmr9wpskwtn9wvhsdymxeg - please allow passkey login. My account shouldn’t be constrained solely by email. Email is not a suitable 2FA method. Username + password + TOTP or email token + TOTP are good, but Passkey is better because it requires a device you possess already and doesn’t rely on email that’s phishable. I’ve seen other sites go further and require TOTP after a Passkey too, fwiw. Point being, give uses the option for real 2FA decoupled from email.

Confirmed, I was also affected by this. Thought it was odd. But don’t use Alby for much so just shrugged it off, thanks for the info!

Same

Same here

I'd love passkeys in Alby! Passed it on

Thank you for the update! I changed my email and disabled password logins as well when I got the password reset request email! Would prefer using TOTP with an Authenticator instead of email though but I couldn’t find that in the settings.

You used the word too too, I will block you now.

They said password requests were also made against lightning address which is public information. That shouldn’t be possible going forward 🙏

“Hide My Email” is probably one of my favorite iOS features.

Yep - good to see it's fixed. Thanks nostr:nprofile1qqsyv47lazt9h6ycp2fsw270khje5egjgsrdkrupjg27u796g7f5k0spzamhxue69uhhyetvv9ujuurjd9kkzmpwdejhgtcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhszymhwden5te0wp6hyurvv4cxzeewv4ej7hjm7rj for quick turnaround I want to point out I saw this posted on NOSTR yesterday which was pretty instant and the fact a thread of people calling out to Alby for information worked so well... And alby gets back to us with nostr... Its just so great to see!

In this case are you guys going to change account email if your reset was triggered by lightning address?

Did you change it so emails are no longer leaked in this fashion?

I just checked HIBP for the email I used with Alby and it shows up in 0 data breaches, so my email was definitely leaked via the password reset mechanism on your site. I’m not stressing about that too much, but you should be careful about deflecting too much blame.

Websites really need to stop using email as an authentication method. There are better options that preserve privacy.

when time sync MFA?

I changed mine cause I don’t just have one email address.

For info, the email resets received on our side were set up specifically for internal testing and never shared anywhere Good luck with the investigation and thanks for the transparency! Hope we can all learn something.

The transparency is a good start, but you haven't covered the case where a) an unique email address was used that only Alby had and b) wasn't used as lightning address visible anywhere publicly

this password reset feels like the tip of an iceberg. leaking emails on reset? credential stuffing? this is basic stuff in auth, which brings my to my next point: this screams a homerolled auth system by someone with little experience or a lapse in judgment. id bet the former. wonder what else you’d fine if you looked around. good time to double check those cookie settings and maybe google “owasp top 10” nostr:nevent1qqswh5upmuma0h89vdnh7pnk6ap637xg0mtt0k32hwaxrxm98vuv28cpzemhxue69uhhyetvv9ujuurjd9kkzmpwdejhg0f4n4v

If the service wasn't already shitty enough. Charging way too much money and the service is crap. Can't even talk to a person without paying. Now they leaked my personal data. Great. Thanks for nothing

accounts? where we are going we wont need accounts. #NDN

Email alias for the win

I didn't have a public lightning address. My account email address was only known by Alby

Same here, I realized it was a data breach as the email address I used for Alby was made only for that.

🫡 Gotcha Sir. good point

nostr:npub1getal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlqr80nfm but why?

Let's not jump to conclusions without an official statement. The email address can leak via other channels as well from an Internet connected device...

This concisely explains it, thank you .

2FA would be nice ⚡️

nostr:nprofile1qqsrf5h4ya83jk8u6t9jgc76h6kalz3plp9vusjpm2ygqgalqhxgp9gpzemhxue69uhkzarvv9ejumn0wd68ytnvv9hxgqgkwaehxw309a3xjarrda5kuetj9eek7cmfv9kqs6xl8h coming in with the steel chair. 💪

I actually noticed a request from my email to reset my password that happened yesterday and I just happened to try and reset it today and noticed it while i was searching my inbox.

please allow passkey

If you really want you can get in touch with Alby anytime using the chat widget on support.getalby.com and I bet you'll receive a reply within 12 hours from a human, not a bot.

Good to know that she used Mt.Pelerin. If she did KYC, she should receive it on the same day depending on the payment method she used. If she didn't do KYC, she needs to wait 7 days. That's Mt.Pelerin's policy to ensure they are not scammed.

Thanks for the feedback.

Let us know, if we can help anytime: support.getalby.com

Thanks for your feedback. If you could upvote and leave add other ideas here: https://feedback.getalby.com/-alby-accounts-request-a-feature-1/posts/offer-2fa-for-account-login That would be great.

We noticed that a lot of users used their lightning address instead of email address to log into their Alby Account. To make it easy for them we recognized their lightning address instead of rejecting it and sent them the one-time login code via email. For better guidance we told them the email address, which was a mistake .

Thanks for your feedback. That was certainly a mistake on our side. Your ideas are good. Could you add them to our feedback board so that we can prioritize them: https://feedback.getalby.com/-alby-accounts-request-a-feature-1

Let us know if you feel like any information is missing.

Thanks for your understanding and sorry for the mistake. We are getting better.

Thanks for acting and sorry again. Could you upvote or add other features to our feedback board? https://feedback.getalby.com/-alby-accounts-request-a-feature-1

Thanks for your feedback Gene and sorry for the mistake. Could you add your ideas to our feedback board then we can prioritize it: https://feedback.getalby.com/-alby-accounts-request-a-feature-1

That was a failure. Good that you already used a dedicated address. Let us know if we can improve other things: https://feedback.getalby.com/-alby-accounts-request-a-feature-1

Done ⚡️

I have already canceled my subscription a few weeks ago … Any advice on how to manage this.

I came home and I was surprisingly log out, when I tried and connect my keys were not recognised so I lost access to it , including my primal account. I uninstall the extension but I’m still getting emails and paying ?!

Done! https://feedback.getalby.com/-alby-accounts-request-a-feature-1/posts/passkeys-and-or-totp-aka-real-2fa-that-isn-t-tied-to-email

=========================== #2 🔥 Community Highlights =========================== 1. The signal is so high here. We need more meetups/presentations like this. Great work! 🤝 nostr:nevent1qvzqqqqqqypzpdyfuac80dk47xvxj256jak6dc22fvh342ry7l48kn8dqu74uek5qqs2twk5mpesaedvgv80fr557wy74x9wnp6tqvpae643dez7aw599jgyzh40z 2. This time this tremendous character talking to Jeff Jarvis. Watchout who 👇 nostr:nevent1qvzqqqqqqypzqak8r2hr5jglrk0wc37t59lz98x6gyf6pwaku6hpwakhvslznjh6qqs04l5f36jn074cnd48c6ws08gususpnpmu9gt7wvagqghaw8z5p4scpaym4 3. A good news from Miljan. Let’s get ready for Primal 3.0 🤟 nostr:nevent1qvzqqqqqqypzp4sl80zm866yqrha4esknfwp0j4lxfrt29pkrh5nnnj2rgx6dm62qyvhwumn8ghj7urjv4kkjatd9ec8y6tdv9kzumn9wshszymhwden5te0wp6hyurvv4cxzeewv4ej7qpq89fj3q439n3ft30lphvtjuudwkc93sntt3qdfgsad5txruee8avqv59x8t 4. There is no reason to be not 😉 nostr:nevent1qvzqqqqqqypzp2q0cjncvd8wy64tety4rdx0676k4cvt40fnckhaea476mwgp673qqsd3y73s6njvyhps6lum9cddda0sactsh4mn4g7jauehwd22xmljcgcfl9uw 5. Well said by the Nostr memes master 👌 nostr:nevent1qvzqqqqqqypzp78xcep59u0q2fyqvv8z0cgpdh8rtlp6v98xqs60aa92y5pn9r9fqqsytg269hcvcnrrdn8az9nf2txv43z0l4j70yefkcstw3njmath9ngc2t8er 6. Let’s listen to a Nostr speech of Matt Odell 👇 nostr:nevent1qvzqqqqqqypzq5edsvxllcyuz0n4azc5tjp9wx8uz2cqq0mp6c0fqamjr3llly7tqqszeukd3cf7958fkdlgy5vu7z28yugle56evtgcl6n7w26ctrkjrxcjwghtw 7. It is so nice to see plebs like this 💪 nostr:nevent1qqspfapyj0s6prq6ktmk3n8n5f9u9zvhj2kjm3j7fyyygm8ywdkp26cpzemhxue69uhhyetvv9ujuurjd9kkzmpwdejhgq3q88xk4n2quqcpkfgwhlexc7ccrms2qwdhd86eu8hfzk8mtgjzwucsxpqqqqqqz6s7az7 8. This is 100% true 👇 nostr:nevent1qqsps7fn00hpsaj658ed2w2eyjc7tl4erguj8qwhvd468tgnfmxfh6spzemhxue69uhhyetvv9ujuurjd9kkzmpwdejhgq3q8q204nzhrcrrz8875ytkpf8vk0eg649dc98xuqwsz65znph7z5asxpqqqqqqzpakjfq 9. This is the power of Nostr 😍 nostr:nevent1qvzqqqqqqypzpkmztemrw4pu5ltmuegztq6dkvv2p3ahtv8z848mncuj986m5ma8qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcprfmhxue69uhkvctwveshyetn9ehx7um5wgcjucm0d5hszrnhwden5te0dehhxtnvdakz7qpqed2epf94sdfdzmz8lda7vt5fvhlpp67l4s0lslzlwcxgyqm9aqjsvj4ajw 10. We must fight for the privacy 🤝 nostr:nevent1qvzqqqqqqypzq5xeflpdskqvdq4swxj59793uvdzqzc9pzatjk3nhmcg2h0js8trqqsyfrevggh0qawdhwp68gtz2dnxhqnvjlttrec3kps9cc9hsv0azushwqtzy 11. Alby adds an another security layer to protect users from attackers 🔏 nostr:nevent1qvzqqqqqqypzq3jhml5fvklgnq9fxpete767txn9zfzqdkc0sxfptmnchfrexje7qqswh5upmuma0h89vdnh7pnk6ap637xg0mtt0k32hwaxrxm98vuv28cxmpjjn 12. Do you agree Nostriches? 🫵 nostr:nevent1qvzqqqqqqypzqx78pgq53vlnzmdr8l3u38eru0n3438lnxqz0mr39wg9e5j0dfq3qqsyykq40vvzdwhsr7xze8n7h2ngludrjg68a77f098qdy5ju3hp8qg44fedw 13. The macro discussion summary of Lyn Alden with her favorite macro analyst 🗒️ nostr:nevent1qvzqqqqqqypzp64suatdx2uqhn2xfu7cgjuqgqcrqadp864uxkv6wckf43atj860qyfhwumn8ghj7ur4wfcxcetsv9njuetn9uq3wamnwvaz7tmjv4kxz7fwwpexjmtpdshxuet59uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcqyr9gdf7parcxxa305c9pt0vauh9sd3tznlnasrwgaete7hrad3sazwndr9w 14. An impressive drone show in Lugana, Switzerland 😍 nostr:nevent1qvzqqqqqqypzqx7n9gux57lx76yt8hrufq80cgwdj34586kpfwjt57p543m6y0nfqqsgc559vhxytrevvywzmnsm8jjn9t3wgrxuefrdsanfcnvnlzkpzmq6h40uw 15. A new Nostr based voice and video calling app announced 📲 nostr:nevent1qvzqqqqqqypzqp85ucrkqnxrlzdpeu2gcnssry9t6y6nngjk55lxp9kuqs54zje6qythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0qqsgs25c8k8kcj4r8cu9r7axg6smtyrztz84jeyqmgyzdnajtetn6mszszmfk 16. These things can be happen to a tremendous person 🫂 nostr:nevent1qvzqqqqqqypzqpxfzhdwlm3cx9l6wdzyft8w8y9gy607tqgtyfq7tekaxs7lhmxfqqspkfhlpssysqz8pnwc0cjj2826c680v45v84t9nkgv6zzm8xghk5syvrr4e #community_nostr_recap

@bevo