Certificate authority Let’s Encrypt unintentionally revealed the email addresses of several thousand of its users a few days ago.
Josh Aas, Executive Director for the Internet Security Research Group (ISRG), the not-for-profit orgainzation that assisted the launch of the certificate provider apologized for the mistake on Saturday. In what Let’s Encrypt named an initial report posted soon after it happened, Aas blamed the faux pas on a bug in the automated email system the group uses.
We’re aware of an issue with emails sent over the past few hours and apologize for the error. More information: https://t.co/ExiCXCuCpb
— Let's Encrypt (@letsencrypt) June 11, 2016
The email, a revision to the CA’s subscriber agreement, had a mailing list that included at most 7,618 email addresses appended to the body’s text, meaning anyone that was a subscriber received that list of emails, in plaintext.
Some users saw more emails than other users, however.
“Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones,” Aas wrote.
Aas claims it could’ve been worse however; officials with the CA noticed the issue and stopped the system before it sent out 383,000 emails, meaning only a fraction, 1.9%, was sent.
The group plans to investigate exactly what led to the leak and is asking anyone who received the email to not post the email addresses online.
“We take our relationship with our users very seriously and apologize for the error,” Aas wrote, “We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again. We will update this incident report with our conclusions.”