There is a glitch in the email newsletter system for the Let’s Encrypt project they used accidentally exposed email addresses.
Let’s Encrypt is a project launched by the Mozilla Foundation and the Electronic Frontier Foundation aimed at providing free SSL certificates, so site owners without large budgets can afford to run their sites via HTTPS.
So far the project issued over 1.7 million certificates and protected 3.8 million domains.
Some of the Let’s Encrypt users also signed up for the project’s newsletter, along with non-users, to receive various updates and project news. In total, the project says it has over 383,000 users subscribed to its newsletter.
On June 11, 2016, the Let’s Encrypt project started sending emails to all newsletter subscribers about an update to their subscriber agreement.
Like most companies, the project employed a third-party service to handle this task.
The problem was there was a bug in this system, which started prepending the email of all users who were in the newsletter queue, said Josh Aas Let’s Encrypt ISRG executive director in a blog post.
For example, the tenth person in the queue could see the email addresses of the first nine, the eleventh could see the email addresses for the first ten, and so on.
Users who received these emails spotted the problems and reported the issues. Project officials then intervened and stopped the newsletter queue, but not before sending these malformed newsletters to 7,618 users.
“We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again,” Aas said. “We will update this incident report with our conclusions.”