Let's Encrypt Email Address Disclosures

Let's Encrypt has a preliminaryreport about an email address disclosure. "On June 11 2016(UTC), we started sending an email to all active subscribers who providedan email address, informing them of an update to our subscriberagreement. This was done via an automated system which contained a bug thatmistakenly prepended between 0 and 7,618 other email addresses to the bodyof the email. The result was that recipients could see the email addressesof other recipients. The problem was noticed and the system was stoppedafter 7,618 out of approximately 383,000 emails (1.9%) were sent. Eachemail mistakenly contained the email addresses from the emails sent priorto it, so earlier emails contained fewer addresses than later ones."A postmortem is underway. (Thanks to Paul Wise)

Update: postmortem results have been added to the incident report. "A small piece of software had been written to handle one-off mass emailing to our subscribers. It was being used for the first time when this incident occurred.The software went through code review and testing as it was beingdeveloped, but testing was insufficient. It did not catch a bug whichprepended the email addresses of prior recipients to the body of emails. Insufficient testing is considered to be the root cause of this incident."