Replies (77)
This isn't really a very good explanation. We get that mistakes can happen, but this could have been extremely bad.
It sucks, but at least they own it.
So what can you dol
How come the ‘from’ address is a @getalby.com email? Did they break into your server?
Please note: only Alby Accounts use email-based login. Alby Hub, the Alby Browser Extension, and Alby Go are not affected.
Reset password email will come from alby since it was requested from their website.
Thank you for the transparency.
Just a note, my alby login email address has only ever been used wirh alby so it couldn't have come from another data leak.
You wanna talk security and you add the word GOOGLE 🤦🏻♂️🤦🏻♂️. I will never use Alby.
Same situation here
Confirmed. I have a request to reset my password and I’m not subscribed anymore after having my keys surprisingly changed and lost access to one of my primal accounts.
We've seen many attacks where it seemed attackers have used emails + passwords from different breaches. If you want get a picture of which breaches your email was included in:
Have I Been Pwned
Have I Been Pwned: Check if your email address has been exposed in a data breach
Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.
However, we also recognize that Alby emails could have been exposed through the reset password system as mentioned already in this announcement and we have made the necessary changes to ensure affected users are not at risk of losing their funds.
Nostr keys are saved locally and encrypted in the Alby Extension and are not affected in any way. Please contact Alby support and we can see if there's any way you are able to recover your lost primal account.
They don't break any server, by using your public alby address in nostr, they just requested a password reset. This is not scam email, it's real email from Alby. The hack consists of that they can get your email from your Alby address, but to do so they have to trigger password reset. Everything is pretty safe, don't worry. Just make sure use strong passwords and have in mind for any incoming emails with email address connected to Alby account
Thanks to the email I’ve realized that custom self hosted @ addresses are now very expansive 😢
that's correct. and we're very sorry this happened. we couldn't filter all requests and reset emails have been requested.
that email can be ignored and for additional security we now also enforce login with an one time token.
It's definitely unpleasant that it happened. But one must be careful on the internet. I personally, using tools to check for data leaks, have seen emails leaked from other much bigger companies and software. That's why personal culture regarding cybersecurity is an important thing. I'm also 99% sure that a large part of these emails have already been leaked somewhere else. That's why it's good to use email masking services.
My friend send transfer 1000$ to her Alby hub and she expect received soon . Been 2 days .
yes, many requests we see originate from emails that also don't have accounts with Alby. There are many brute force attacks out there in the wild internet sadly.
Using alias email addresses like the ones proton offers is encouraged.
Good you informed this
Please ask her to reach out via support.getalby.com so that we can check what exactly happened.
aren't this economic valid requests because they are technically possible and filters dont work?!🎉🤔😎
I think she will received it’s just this is the first time so she will wait til 3 days . You guys mentioned this on your website . It will take 2-3 working days if I am not mistaken .
Right ?
Thank you 🙏
Lightning payments are instant. Fiat payments related to one of the integrated exchange providers depend on there terms of service.
She has alby cloud pro hub , when she wants to top up her bitcoin , she need to buy bitcoin and through the third payment system like Mt. pelerin .. is it not right ? This is not transfer from lightning to lightning payment ..?
Don’t you not know this ?
I've read something about failure but all I can see is responsible and honest approach.
View quoted note →Hey
@Alby - please allow passkey login. My account shouldn’t be constrained solely by email. Email is not a suitable 2FA method. Username + password + TOTP or email token + TOTP are good, but Passkey is better because it requires a device you possess already and doesn’t rely on email that’s phishable. I’ve seen other sites go further and require TOTP after a Passkey too, fwiw. Point being, give uses the option for real 2FA decoupled from email.
Confirmed, I was also affected by this. Thought it was odd. But don’t use Alby for much so just shrugged it off, thanks for the info!
Same
Same here
I'd love passkeys in Alby! Passed it on
Thank you for the update!
I changed my email and disabled password logins as well when I got the password reset request email!
Would prefer using TOTP with an Authenticator instead of email though but I couldn’t find that in the settings.
You used the word too too, I will block you now.
They said password requests were also made against lightning address which is public information.
That shouldn’t be possible going forward 🙏
“Hide My Email” is probably one of my favorite iOS features.
Yep - good to see it's fixed. Thanks
@Alby for quick turnaround
I want to point out I saw this posted on NOSTR yesterday which was pretty instant and the fact a thread of people calling out to Alby for information worked so well... And alby gets back to us with nostr... Its just so great to see!
In this case are you guys going to change account email if your reset was triggered by lightning address?
Did you change it so emails are no longer leaked in this fashion?
I just checked HIBP for the email I used with Alby and it shows up in 0 data breaches, so my email was definitely leaked via the password reset mechanism on your site.
I’m not stressing about that too much, but you should be careful about deflecting too much blame.
Websites really need to stop using email as an authentication method. There are better options that preserve privacy.
when time sync MFA?
I changed mine cause I don’t just have one email address.
For info, the email resets received on our side were set up specifically for internal testing and never shared anywhere
Good luck with the investigation and thanks for the transparency! Hope we can all learn something.
The transparency is a good start, but you haven't covered the case where a) an unique email address was used that only Alby had and b) wasn't used as lightning address visible anywhere publicly
this password reset feels like the tip of an iceberg.
leaking emails on reset? credential stuffing?
this is basic stuff in auth, which brings my to my next point: this screams a homerolled auth system by someone with little experience or a lapse in judgment. id bet the former. wonder what else you’d fine if you looked around. good time to double check those cookie settings and maybe google “owasp top 10”
View quoted note →If the service wasn't already shitty enough. Charging way too much money and the service is crap. Can't even talk to a person without paying. Now they leaked my personal data. Great. Thanks for nothing
accounts? where we are going we wont need accounts. #NDN
Email alias for the win
I didn't have a public lightning address. My account email address was only known by Alby
Same here, I realized it was a data breach as the email address I used for Alby was made only for that.
🫡
Gotcha Sir. good point
Let's not jump to conclusions without an official statement.
The email address can leak via other channels as well from an Internet connected device...
This concisely explains it, thank you .
2FA would be nice ⚡️
@ZEUS coming in with the steel chair. 💪
I actually noticed a request from my email to reset my password that happened yesterday and I just happened to try and reset it today and noticed it while i was searching my inbox.
please allow passkey
If you really want you can get in touch with Alby anytime using the chat widget on support.getalby.com and I bet you'll receive a reply within 12 hours from a human, not a bot.
Good to know that she used Mt.Pelerin. If she did KYC, she should receive it on the same day depending on the payment method she used.
If she didn't do KYC, she needs to wait 7 days. That's Mt.Pelerin's policy to ensure they are not scammed.
Thanks for the feedback.
Let us know, if we can help anytime: support.getalby.com
We noticed that a lot of users used their lightning address instead of email address to log into their Alby Account. To make it easy for them we recognized their lightning address instead of rejecting it and sent them the one-time login code via email.
For better guidance we told them the email address, which was a mistake .
Thanks for your feedback. That was certainly a mistake on our side.
Your ideas are good. Could you add them to our feedback board so that we can prioritize them:
👤 Alby Accounts - 💡 Request a Feature | Alby
Let us know if you feel like any information is missing.
Thanks for your understanding and sorry for the mistake. We are getting better.
Thanks for acting and sorry again.
Could you upvote or add other features to our feedback board?
👤 Alby Accounts - 💡 Request a Feature | Alby
Thanks for your feedback Gene and sorry for the mistake.
Could you add your ideas to our feedback board then we can prioritize it:
👤 Alby Accounts - 💡 Request a Feature | Alby
That was a failure. Good that you already used a dedicated address.
Let us know if we can improve other things:
👤 Alby Accounts - 💡 Request a Feature | Alby
Done ⚡️
I have already canceled my subscription a few weeks ago …
Any advice on how to manage this.
I came home and I was surprisingly log out, when I tried and connect my keys were not recognised so I lost access to it , including my primal account.
I uninstall the extension but I’m still getting emails and paying ?!
===========================
#2 🔥 Community Highlights
===========================
1. The signal is so high here. We need more meetups/presentations like this. Great work! 🤝
View quoted note →
2. This time this tremendous character talking to Jeff Jarvis. Watchout who 👇
View quoted note →
3. A good news from Miljan. Let’s get ready for Primal 3.0 🤟
View quoted note →
4. There is no reason to be not 😉
View quoted note →
5. Well said by the Nostr memes master 👌
View quoted note →
6. Let’s listen to a Nostr speech of Matt Odell 👇
View quoted note →
7. It is so nice to see plebs like this 💪
View quoted note →
8. This is 100% true 👇
View quoted note →
9. This is the power of Nostr 😍
View quoted note →
10. We must fight for the privacy 🤝
View quoted note →
11. Alby adds an another security layer to protect users from attackers 🔏
View quoted note →
12. Do you agree Nostriches? 🫵
View quoted note →
13. The macro discussion summary of Lyn Alden with her favorite macro analyst 🗒️
View quoted note →
14. An impressive drone show in Lugana, Switzerland 😍
View quoted note →
15. A new Nostr based voice and video calling app announced 📲
View quoted note →
16. These things can be happen to a tremendous person 🫂
View quoted note →
#community_nostr_recap
@bevo
