Certificate authority Let's Encrypt has apologised to several thousand of its users for accidentally disclosing their email addresses.
Josh Aas, Executive Director for the Internet Security Research Group (ISRG), published an update on Monday that explains what happened:
"On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email."
As a result, users could see other users' email addresses, with each individual email message containing the addresses from emails sent before it.
Leaking data isn't just a breach of privacy, however. As Paul Ducklin of Naked Security writes, if one of the computers that received the list was infected with malware, attackers could have saved those addresses and sent them to a remote server for future spam campaigns.
That threat notwithstanding, it still could have been worse. Let's Encrypt identified the problem and stopped the system after it had sent out 7,618 of 383,000 emails. That means only 1.9 percent of the active subscriber base was compromised.
Aas concludes the update with a promise to conduct a thorough investigation of the leak:
"We take our relationship with our users very seriously and apologise for the error. We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again. We will update this incident report with our conclusions. If you received one of these emails we ask that you not post lists of email addresses publicly."
Let's Encrypt is a certificate authority that allows organisations to obtain free SSL/TLS certificates. ISRG operates the authority, which as of mid-April had issued over 1.7 million certificates and protected 3.8 million domains.