well I am not totally sure but thought I used Alby from the get-go, which should mask the nsec, but maybe it is all compromised - can't say I never put the nsec into an app. 

hodlpleb

lightning

Unknown Withdrawal from Coinos.io

If you used login with nostr, I think your nsec might have been compromised in a previous breach iirc

I am considering to implement creating a Coinos account with one-click from within SN (like Damus does) but cases like this really makes me reconsider if we shouldn’t warn users about their previous breaches at least first 