Certificate authority Let's Encrypt admitted over the weekend that it accidentally exposed thousands of its users' email addresses.
Mr. Josh Aas, its executive director Internet Security Research Group (ISRG) apologized for the accidental leak data, referring to a advisory publication that the problem that occurred is due to an error in the subscriber email system of Let's Encrypt.
The bug “accidentally added 7618 other email addresses” to an email that was to be sent to subscribers to notify them of a new edition of the certificate authority (CA).
The result of course was disappointing and unacceptable for a security certification organization. And 7618 recipients were able to see the addresses of others who received the e-mail in a plain text format.
However, Let's Encrypt notes that the data breach could have been much worse had it not noticed the problem, and not reacted so quickly.
So the 7.618 emails revealed are only 1,9 percent of the users subscribed to the subscribers list. The system stopped sending e-mail before leaked 383.0000 addresses of subscribers.
Mr. Josh Aas also mentioned that some users they will be able to see more email addresses than others because each email contained the email addresses that were sent earlier than it.
