Maybe instead of a rebrand, Alby should have spent some of the money on penetration testing.
Login to reply
Replies (9)
This π―
Maybe also... if Alby was actually funded well enough, they'd have the budget to get better security. Its unfortunate in the space that a lot don't have the big budget or talent volume like SV startups do.
Truthfully, the bitcoin lightning space is a hard sell. Its like getting stuck between a rock and hard space sometimes, and I don't know what to say but the business model for many startups in this space to survive over a long haul is quite difficult, just from my observation as the fly on the wall.
You donβt need a budget to realize you should never expose information without authentication.
you need budget to keep the talent that knows these things.
Iβm a vibecoder with 6 months of experience and even know these things.
if you are a node runner like i know you are, you are more intelligent than a vast majority out there. its not a fair comparison
see my DM on tg
We donβt even know for certain they were hacked, can you chill?
I am sorry we failed you here and as you pointed out this should not have happened. User information must never be displayed and from one data point only no other data must be retrievable. we're very cautious there, have checks, strict rate limiting, firewalls, etc.
This started as a feature to help users keep their accounts and we failed here. Most of the requests (coming from residential proxies all over the place) seem to have not succeeded but still too many have.
fixes have been deployed and we likely will remove password logins in favor of the increased login with one time token. (would love to hear your feedback on this) we regularly see and block requests with user data registered in sets visible in haveibeenpwned.