I see, I believe this is important information that should be understood by all parts, maybe it can help someone in the future.
What happened was:
I had umbrel installed on a VPS, with bitcoind, lnd, lnbits. I accessed it via public IP and password. (I knew it was a precarious setup, I was supposed to change it, i kept delaying it because I didn't really use that node\lnbits, until the day I released the pubpay and I was hacked, which makes it very likely that it was someone that saw the release).
I used the app store to install Alby Hub. But afterwards, you're meant to run the application as it has a first setup page, which I didn't.
Bumi blames me for this set up, as the umbrel (and the funds) were only protected by the umbrel password.
As Alby umbrel config was turning off the default umbrel authentication, albyhub was exposed to clearnet without password and the attacker had free access. Bumi says this is good UX, it might be for some, for me it was fatal.
Bumi says that LNbits has the same vulnerability and, in similar scenarios, the same could happen again. So this might be something to look at
cc:
@Ben Arc
