Let's Encrypt, a free and open certificate authority for issuing digital certificates, has inadvertently distributed a number of subscriber email addresses in a message sent to all subscribers.
Let's Encrypt is operated by the non-profit Internet Security Research Group (ISRG), and was unveiled in 2014 as a free service for the public's benefit, enabling anyone who owns a domain name to obtain a trusted certificate at no cost.
The organisation has now issued an alert notifying its users that an email recently sent to all active subscribers informing them of an update to the subscriber agreement inadvertently disclosed the email addresses of some of those subscribers.
"On June 11 2016 we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email. The result was that recipients could see the email addresses of other recipients," the alert said.
The problem was spotted quickly, according to Let's Encrypt, and the system was halted after 7,618 emails had been sent out of approximately 383,000 scheduled.
Each email mistakenly contained a cumulative list of all email addresses used from the emails sent prior to it, so earlier emails contained fewer addresses than later ones.
The organisation has issued an apology, and asked people who received one of the faulty emails not to publicly disclose any of the other subscriber email addresses.
"We take our relationship with our users very seriously and apologise for the error. We will be doing a thorough post mortem to determine exactly how this happened and how we can prevent something like this happening again. We will update this incident report with our conclusions," said Josh Aas, ISRG executive director, in a post on the Let's Encrypt site.
Let's Encrypt is backed by a number of organisations, including Cisco, Mozilla, Akamai and the Electronic Frontier Foundation.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers