Today on 6/25/17 I encountered a glaring security flaw with alphabays 2-fa system.
I went to log in and were the 2-fa decryption message normally is, there was a message that there was an issue with my PGP key and to change it in my profile. There was no message to decrypt, it just showed my 2-fa login code in PLAINTEXT!.
Alphabay just gave away my login code to anyone that would have made it to the 2-fa screen trying to access my account, from there they could have taken complete control of my vendor account.
The PGP error page did not ask for a pin, mnemonic, or any other secondary authentication method.
The thing is, there was no issue with my PGP key, its been the same key ever since I started vending and I haven't changed it. There was no reason for this to happen, and anyone could have gotten into my account. I can't have people getting into my account, I'm a level 4 vendor with over $30k of business conducted on alpha bay in just the past 2 months.
I went to my profile and updated my PGP key to the exact same one I've always been using, and that seems to have fixed the issue.
This has happened to me on a normal account I operated there. I got the same message to change my key. I didn't and 2fa worked fine on all logins after that.