Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Bug Electronic Frontier Foundation Encryption Mozilla

Thousands of Email Addresses Accidentally Disclosed By Let's Encrypt (letsencrypt.org) 81

An anonymous reader writes "Let's Encrypt, the certificate authority best known for offering free SSL/TLS certificates, has reported that it accidentally disclosed thousands of user email addresses due to a bug with an automated emailing system." Executive Director Josh Aas posted this announcement: On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email... The problem was noticed and the system was stopped after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones.

We take our relationship with our users very seriously and apologize for the error... If you received one of these emails we ask that you not post lists of email addresses publicly.

This discussion has been archived. No new comments can be posted.

Thousands of Email Addresses Accidentally Disclosed By Let's Encrypt

Comments Filter:
  • Why the heck do they actually require to store e-mail addresses the first place? ACME works with public keys and cryptography, no? Or was it the email addresses for some forum or something, unrelated from the core service?

    • by allo ( 1728082 )

      its optional for access recovery (revocing certs when you lost your access key) and notification mails about certs about to expire (to see if your automatic renewal failed).

  • by Anonymous Coward

    I guess this demonstrates how seriously they take security. I wonder how they protect their root keys.

    • by Anonymous Coward

      I first learned about this awful incident at Hacker News [ycombinator.com].

      What scares me the most is some of the responses there which just brush it off as no big deal! There are comments there like:

      It sucks this happened but I don't really care.

      and

      Interesting. Slightly embarrassing. Not a huge deal. Handled well.

      and

      Things like this happens all the time. Give them a break.

      The responses are just about as bad over at reddit [reddit.com]:

      Stupid bug, but the consequences of this bug is... nada. zip.

      and

      this is non-news, emails are public inf

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        To make matters worse I'm seeing comments from people pointing out that this is not acceptable getting downvoted!

        Yes, the generic term for this phenomenon is "echo chamber". The same thing happens here at Slashdot if you say certain things that are unpopular and back them up with solid evidence so they can't easily be hand-waved away. It's just the way small minded people react at the point where they should say "I was mistaken".

        It scares the living hell out me that people can think that somehow this incident was acceptable or excusable, especially when it was an organization that has to put security, privacy and trust paramount that was responsible. This incident was not acceptable. It should be considered a total disaster.

        Speaking of small minded people, they generally look at particulars and not at principles. So it's all insignificant until they personally get hurt by it. When it's a SSN or a bank account

      • by Cyberax ( 705495 )
        Uhm... Why are they incorrect? It's not a total disaster - nothing is compromised except the email addresses. You know, the ones that are attached to any emails that you send out.

        It's a remote possibility that somebody used a unique email that encodes some important information in the address. But such people are their own enemies.
      • Just so you know: when you post a sky-is-falling position about something that seems pretty harmless, and the org in question is one that's up-ending a long-standing cartel that's held the reigns on something tightly, and you don't give any expansion on why (according to you) it is such a catastrophe, AND you post as Anonymous Coward... well, it makes you look pretty likely to be a shill for the industry that's being up-ended. Just wanted you to know how it comes across.
  • No good deed goes unpunished? Sounds about right... sadly.
  • This is a basic coding mistake made worse by a set of basic testing mistakes. The state of practical IT is truly amazingly bad when mistakes like these are made routinely. Does not instill any confidence in this specific group of people either.

    • Who needs test management, right? I mean, if your code is always *awesome*, why throw money down the well! :-)

      Test management is and always has been an uphill battle. You have to be constantly proving yourself and telling the management how this-and-that bug saved the company a $100K+ down the road. Quality has this funny trait of being rather invisible when it's present and people only really notice it when it's not there.

      • by gweihir ( 88907 )

        More like "who needs tests" in this case. Test management is a bit overblown for a simple small script. (At least that is what I would use. And I would send it out via a relay and check what is in the queue before activating that relay. Of course, I may just be overly cautious.)

        You do have a point of course. Skimping on testing, test management and developer skills is about as stupid as if firing the sysadmins because "everything is working well".

  • In other news, "Let's Encrypt" has changed their name to "Let's Disclose".

Keep up the good work! But please don't ask me to help.

Working...