Thousands of Email Addresses Accidentally Disclosed By Let's Encrypt

An anonymous reader writes "Let's Encrypt, the certificate authority best known for offering free SSL/TLS certificates, has reported that it accidentally disclosed thousands of user email addresses due to a bug with an automated emailing system." Executive Director Josh Aas posted this announcement: On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email... The problem was noticed and the system was stopped after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones.

We take our relationship with our users very seriously and apologize for the error... If you received one of these emails we ask that you not post lists of email addresses publicly.

I'm worried how it's being brushed off at HN!

I first learned about this awful incident at Hacker News.

What scares me the most is some of the responses there which just brush it off as no big deal! There are comments there like:

It sucks this happened but I don't really care.

and

Interesting. Slightly embarrassing. Not a huge deal. Handled well.

and

Things like this happens all the time. Give them a break.

The responses are just about as bad over at reddit:

Stupid bug, but the consequences of this bug is... nada. zip.

and

this is non-news, emails are public info

To make matters worse I'm seeing comments from people pointing out that this is not acceptable getting downvoted!

It scares the living hell out me that people can think that somehow this incident was acceptable or excusable, especially when it was an organization that has to put security, privacy and trust paramount that was responsible.

This incident was not acceptable. It should be considered a total disaster.

Re:I'm worried how it's being brushed off at HN!

To make matters worse I'm seeing comments from people pointing out that this is not acceptable getting downvoted!

Yes, the generic term for this phenomenon is "echo chamber". The same thing happens here at Slashdot if you say certain things that are unpopular and back them up with solid evidence so they can't easily be hand-waved away. It's just the way small minded people react at the point where they should say "I was mistaken".

It scares the living hell out me that people can think that somehow this incident was acceptable or excusable, especially when it was an organization that has to put security, privacy and trust paramount that was responsible. This incident was not acceptable. It should be considered a total disaster.

Speaking of small minded people, they generally look at particulars and not at principles. So it's all insignificant until they personally get hurt by it. When it's a SSN or a bank account number, and it happens to them, suddenly it matters and not a moment before. They don't seem to understand that security really matters at all times. Tolerating this kind of slack approach to security just encourages more of it and eventually it WILL be something a lot worse than e-mail addresses.