Let's Encrypt accidentally leaks user email data
Certificate authority Let's Encrypt has admitted to accidentally disclosing thousands of user emails.
Over the weekend, Josh Aas, executive director for the Internet Security Research Group (ISRG) apologized for the accidental data leak, saying in an advisory that the problem occurred due to a bug in the Let's Encrypt subscriber email system.
The bug "mistakenly prepended between 0 and 7,618 other email addresses" to an email due to be sent to subscribers to inform them of an update to the certificate authority (CA)'s subscriber agreement.
As a result, 7,618 recipients were able to see the email addresses of others who received the email in the body of the email, in plaintext.
However, Let's Encrypt notes that the data leak could have been far worse if the problem hadn't been noticed and stopped so quickly.
While 7,618 email addresses were disclosed, this is only the equivalent of 1.9 percent of users due to see the agreement update email land in their inbox. The system was stopped and examined before all 383,0000 recipients' emails were leaked to each other.
Aas also said some users would have been able to see more email addresses than others. Each email contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones.
"We take our relationship with our users very seriously and apologize for the error," Aas writes. "We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again. We will update this incident report with our conclusions."
Let's Encrypt wants to improve security across the internet by introducing free Transport Layer Security (TLS) certificates to webmasters. In March, the organization said one million free TLS certificates had been issued, and by April, the CA left its beta stage, having issued over 1.5 million certificates for use on three million websites worldwide to encrypt communication channels.