Replies (78)
That sucks. Never used Alby.
Yeah, I never used this form before and I didn’t realize it until now.
This is about as bad as sending the plaintext password when you ask for a pw reset
Wow 🤦♂️
This is bad.
Same
And it would be one thing if this were a novel attack, but it isn't. This has been an item to consider for years. We probably covered it in my web Dev security courses in 2014. It was probably a thing even before that. It's malpractice.
😂
Nice one,
@Alby . Come on, basics of privacy and security and you failed them. WTF?
I got a ‘reset your password’ email that I never requested today 👀
I think it's probably just an error with their email provider, they keep saying they are having problems.
Sure
Is my nsec safe ?
We will see what Alby says, seems more likely to be some sort of an error.
Responsible disclosure matters and this is not the way to do it…
I have already PMed
@bumi.
While there is urgency for people to change their emails to a throwaway, you should not be disclosing how/why it works.
We don’t need 1000 people with access to the e-mails instead of 1. Attackers are usually faster than users/devs too.
Even if this is the case, it doesn't excuse the way their password reset system exposes the users email. This is security basics, and it's an absolute failure.
...and if the account serves as nostr signing extension...
Not a good error that leaks your email
Yeah, it's not good
I'm going back to coinos!
Good luck, they’ve been hacked before.
"username OR password is incorrect??? WHICH ONE!?!"
feature, not a bug
I don’t see any reason why not.
lol I forgot my /s
Hey Mr, i also got a password reset email, were you the one trying to access my account? 🤔
I understand why you feel that way, but after seeing every one of my multiple Lightning address emails receive a reset message, I believe the damage has already been done.
Sure, with hundred other people on the internet 🤣
You got some free time there Fishcake haha 😂
Aha, like all 2 seconds to reply to you 🤣
Thought you are a bot for a second 😂
You’ll never know for sure
I wonder if the emails they send will end up in the phishing folder.
Shit.. I received the password reset mail too
Does anyone really sign up using a real (daily use / KYCed) email address??
Just asking for some friends.
Exactly ! Got a password change request but changed my LN provider a while ago. So old infos are going round …..
Same here.
this is why i never used my actual email address and use aliases for everything. email gets put on some list? cool, delete the alias and move on.
Just in case you received the Alby password reset email and had no idea why 👇🏼
View quoted note →My LN address and Alby email are not the same and still got a password reset request
@Alby @bumi @saunter will the attack affect this? Are nsecs safe?
I assume encrypted so yes? Will still be good to hear from you thanks
Send me your nsec and I'll check for you
Bitcoin fixes this
Lol
-------------------------------------------------
Privacy and Other Related Stuff
-------------------------------------------------
Keep private.
1️⃣Use email alias forever on each service
2️⃣Use 2FA - not sms - whenever possible
3️⃣Delete all services that you dont use
4️⃣Encrypt everything.
No busques la perfección.
Una acción cada vez y mejorar cada día.
-------------------------------
End of transmission
-------------------------------
The Daniel ⚡️
Update on the
@Alby attack:
⚠️ IT’S WORSE THAN I THOUGHT! ⚠️
What I believe is happening is someone is using the public Lightning addresses from Nostr profiles to doxx everyone’s registered email address on Alby.
By simply entering a valid Alby address, the login page LEAKS the corresponding email address.
This means that the purpose of the attack is not so much to breach your Alby account, it’s to collect emails of Alby users for future phishing attacks.
I will never use a service that offers to use Google to log in.
Yup. That happened to me, I lost access to one of my accounts.
I unsubscribed Alby and I just had this email from Alby today…..
Holy forking shirt!!!!
Recommendations?
This is why I run my own node hardware 🥲
If a wallet asks for any information, it's an absolute no for me, dawg.
It was scary morning tho 🥹🥹
I started panicking a bit.
I guess it's time for email aliases clean up xd
Just change your email address and use anonymized email retailers for logins.
I'll add - always double check If the email you received is from Alby. The only way to reliable do this is to check the address it was sent from, as the email design can look identical.
Be especially weary if the email prompts you to click some link or login somewhere
Received a bunch of these emails to reset alby recently, including for old abandoned/test accounts. I was getting suspicious.
Thank you! I removed my alby address from my Nostr profile for now
You can bring it back - email password requests are not available anymore.
Hey Susana, If you want to get access to your old account you can DM us at support@getalby.com and we should be able to help!
🔥🔥🔥✅️❗️😤
I haven't gotten a "password reset" request email at all.
Hopefully this means mine wasn't part of the affected addresses??
You have a Rizful Lightning address in your bio so most likely you were not targeted at all.
Thank God.
My vulnerability as an actual human user? The fact that I have to depend on the invulnerability (or appearance of such) of the systems created by other humans.
I feel like many of us forget this.
None of us are perfect. I sure as hell am not. The best we can do is learn from our and each others’ mistakes.
FWIW - email from Alby Support:
Overnight we have received notices of some unusual requests to our infrastructure. Over a short period of time many password reset emails had been requested from various residential proxies around the world. Our rate limiting protects against spamming attacks but requests got through to request password reset emails.
Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed by their owner. Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker.
We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email can ignore the email.
As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from some data leaks we have fully disabled password logins and require all users to login with the one time token. This adds an another layer of security. Additionally we also offer the option to login with Google.
Please note: only Alby Accounts use email-based login. Alby Hub, the Alby Browser Extension, and Alby Go are not affected.
my email has been leaked many times. You can search your email in have I been pawned website and it shows you all the leaks.
I'm not worried, I get phishing emails all the time. They go straight to my spam folder
HOLY SHIT, WHAT A MESS 🤑
👇
The Daniel ⚡️
Update on the
@Alby attack:
⚠️ IT’S WORSE THAN I THOUGHT! ⚠️
What I believe is happening is someone is using the public Lightning addresses from Nostr profiles to doxx everyone’s registered email address on Alby.
By simply entering a valid Alby address, the login page LEAKS the corresponding email address.
This means that the purpose of the attack is not so much to breach your Alby account, it’s to collect emails of Alby users for future phishing attacks.
Create a new Mail Adresse🤷♂️
Why? I don't care if my email is leaked. I put it on my website. I've been on the internet long enough to not click links inside emails.
Requiring an email address is what has always kept me away.
And no, not going to just spin up a burner email, just not gonna do it.
Stop asking for emails and stop providing them.
dont you like data hoarding and accountitis? leak away. the more the merrier. fuck accounts. and credentials #NDN
Dont recall my exact reason, but used an email alias for my alby acct. And now Im glad I did
today (29.12.25) i received an email from crypto.com – a service i never registered for. i‘m an alby user. i suspect this leak to be the culprit.
I got one too, but sent to an email address I didn’t use with Alby. Scammers just use lists of anyone connected with crypto services to victimize and hope a handful of them respond. Sadly, enough do to make it profitable.
yeah, stay vigilant.
Got another one from Trezor about a “quantum resistant” firmware update. 🤣
