Let’s Encrypt, a free certificate authority, recently announced that a glitch in its email server led to the exposure of more than 7,600 user email addresses.
In a statement, Josh Aas, Executive Director at the Internet Security Research Group (ISRG), explained the issue was caused by a bug in the company’s subscriber email system:
“On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email,” said Aas.
As a result, the recipients of the email could see the email addresses of other recipients in plaintext.
However, Aas noted the problem was noticed and the system was stopped after only 7,618 out of approximately 383,000 emails were sent – 1.9 percent of the company’s subscriber user base.
“Each email mistakenly contained the email addressed from the emails sent prior to it, so earlier emails contained fewer addresses than later ones,” wrote Aas.
The company has asked users who may have received one of the emails to not post the list of email addresses publicly.
“We take our relationship with our users very seriously and apologize for the error. We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again.”
In mid-April, the popular certificate authority said it had issued over 1.7 million certificates and protected 3.8 million domains.