Certificate authority Let’s Encrypt accidentally disclosed the email addresses of several thousand of its users this weekend.
Josh Aas, Executive Director for the Internet Security Research Group (ISRG), the nonprofit group that helped launch the CA, apologized for the error on Saturday. In what Let’s Encrypt dubbed a preliminary report posted shortly after it happened, Aas blamed the faux pas on a bug in the automated email system the group uses.
The email, an update to the CA’s subscriber agreement, had a list that contained at most 7,618 email addresses appended to the body’s text, meaning anyone who was a subscriber received that list of emails, in plaintext.
Some users saw more emails than other users, however.
“Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones,” Aas wrote.
Aas claims it could’ve been worse however; officials with the CA noticed the issue and stopped the system before it sent out 383,000 emails, meaning only a fraction, 1.9%, was sent.
The group plans to investigate exactly what led to the leak and is asking anyone who received the email refrain from posting the email addresses online.
“We take our relationship with our users very seriously and apologize for the error,” Aas wrote, “We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again. We will update this incident report with our conclusions.”