+- Alby -- 6mo ---------------------------------------------------------------------------------------------------[...]+ | | | Overnight we have received notices of some unusual requests to our infrastructure. | | | | Over a short period of time many password reset emails had been requested from various residential proxies around | | the world. Our rate limiting protects against spamming attacks but requests got through to request password reset | | emails. | | | | Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed | | by their owner. | | Password request emails also have been requested for lightning addresses which falsely exposed the user's email | | address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post | | their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. | | Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset | | emails had been requested by the attacker. | | | | **We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email | | can ignore the email.** | | | | As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from | | some data leaks we have fully disabled password logins and require all users to login with the one time token. This | | adds an another layer of security. | | Additionally we also offer the option to login with Google. | | | | If you have questions or feedback, please let us know: support.getalby.com | | | +-- reply --------------------------------------------------------------------------------------------------------- ---+Overnight we have received notices of some unusual requests to our infrastructure. Over a short period of time many password reset emails had been requested from various residential proxies around the world. Our rate limiting protects against spamming attacks but requests got through to request password reset emails. Many of the requests are likely for emails that had been included in some data breach or have been publicly exposed by their owner. Password request emails also have been requested for lightning addresses which falsely exposed the user's email address. This had been a feature deployed to help users keep easy access to their accounts. But as many users post their lightning address on profiles like nostr this should not be exposed and a fix has been deployed immediately. Generally there should be no way to display a user's email address. We have failed here. About 5500 password reset emails had been requested by the attacker. **We have not seen any abnormal related login activity and accounts are safe. People who got a password reset email can ignore the email.** As we have seen a general increase in attacks on user accounts trying to brute force logins with some emails from some data leaks we have fully disabled password logins and require all users to login with the one time token. This adds an another layer of security. Additionally we also offer the option to login with Google. If you have questions or feedback, please let us know: support.getalby.com
thread · root ebd381df…c51f · depth 1 · · selected ebd381df…c51f
thread
root ebd381df…c51f · depth 1 · · selected ebd381df…c51f
Overnight we have received notices of some unusual requests to our infrastructure.Over a short period of time many password reset emails had been requested from various residential proxiesaround the world. Our rate limiting protects against spamming attacks but requests got through to requestpassword reset emails.Many of the requests are likely for emails that had been included in some data breach or have been publiclyexposed by their owner.Password request emails also have been requested for lightning addresses which falsely exposed the user's emailaddress. This had been a feature deployed to help users keep easy access to their accounts. But as many userspost their lightning address on profiles like nostr this should not be exposed and a fix has been deployedimmediately. Generally there should be no way to display a user's email address. We have failed here. About 5500password reset emails had been requested by the attacker.**We have not seen any abnormal related login activity and accounts are safe. People who got a password resetemail can ignore the email.**As we have seen a general increase in attacks on user accounts trying to brute force logins with some emailsfrom some data leaks we have fully disabled password logins and require all users to login with the one timetoken. This adds an another layer of security.Additionally we also offer the option to login with Google.If you have questions or feedback, please let us know: support.getalby.com
