lets encrypt Email Server Glitch Exposes Email Addresses for 7,618 Let's Encrypt Users

[vissha]

Email Server Glitch Exposes Email Addresses for 7,618 Let's Encrypt Users

 

 

Glitch exposed details for 1.9% of users, before Let's Encrypt admins intervened and fixed the problem

 

Quote

The Let's Encrypt project announced yesterday that a glitch in the email newsletter system they used accidentally exposed the email addresses of 7,618 users.

 

Let's Encrypt is a project launched by the Mozilla Foundation and the Electronic Frontier Foundation aimed at providing free SSL certificates, so site owners without large budgets can afford to run their sites via HTTPS.

 

The project is extremely popular and in mid-April was bragging about having issued over 1.7 million certificates and protecting 3.8 million domains.

 

Some of the Let's Encrypt users have also signed up for the project's newsletter, along with non-users, in order to receive various updates and project news. In total, the project says it has over 383,000 users subscribed to its newsletter.

 

On June 11, 2016, the Let's Encrypt project started sending emails to all newsletter subscribers about an update to their subscriber agreement.

 

Glitch in third-party platform is to blame

 

Like most companies, the project employed a third-party service to handle this task. According to Josh Aas Let's Encrypt ISRG Executive Director, there was a bug in this system, which started prepending the email of all users that were in the newsletter queue.

 

For example, the tenth person in the queue could see the email addresses of the first nine, the eleventh could see the email addresses for the first ten, and so on.

 

Users that received these emails quickly spotted the problems and reported the issues (1, 2, 3) to the project's owners, who then intervened and stopped the newsletter queue, but not before sending these malformed newsletters to 7,618 users, which is 1.9% of the entire subscriber base.

 

"If you received one of these emails we ask that you not post lists of email addresses publicly," Aas pleaded email recipients. Aas also promised a future incident report on what exactly happened.

 

Let's Encrypt email containing extra email addresses

Let's Encrypt Full Statement:

Spoiler

 

On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email. The result was that recipients could see the email addresses of other recipients. The problem was noticed and the system was stopped after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones.

 

We take our relationship with our users very seriously and apologize for the error. We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again. We will update this incident report with our conclusions.

 

If you received one of these emails we ask that you not post lists of email addresses publicly.

 

 

Source