back to article Let's Encrypt lets 7,600 users... see each other's email addresses

Free certificate authority Let's Encrypt has spaffed the email addresses of up to 7,618 users to each other in an email informing them of updates to its subscriber agreement. In a post apologising for the error, the service noted that the incident wasn't as bad as it could have been, affecting only 1.9 per cent of the 383,000 …

  1. DaLo

    Well at least it was only 7,600, six times less than when this IT news organisation did it >

    1. Ole Juul

      Useless list anyway

      There was a lot less than that in my email from them. I'd guess under a hundred. I frequently get better lists than that in my CC field.

      1. Ken Moorhouse Silver badge

        Re: Useless list anyway

        Less is bad, more is good.

        If you got a small list that means that more recipients after you received your email address.

        Presumably the size of the CC field for later emails eventually caused a buffer overflow error which re-started the cycle.

        1. Bob Dole (tm)

          Re: Useless list anyway

          Depends on where their error checking code was.

          If it was at the point of sending the message and the system swallowed the error (unfortunately common practice) then only about 7600 individual emails were sent in total.

    2. JLV Silver badge

      Isn't there a plugin available - for at least some email systems - that would require a manual confirmation if a CC list is bigger than an arbitrary threshold, say 100?

      To err is human, and it is rather silly that it is so easy to get caught out by this type of error.

  2. Anonymous Coward
    Anonymous Coward

    For extra Chuckle Brothers effect

    they could have e-mailed the whole user base in the CC field of the apology.

    1. Barry Rueger Silver badge

      Re: For extra Chuckle Brothers effect

      There was an apology? I didn't see it.

      And because I wasn't going to scroll through an endless list of addresses I also didn't see the new TOS.

      LetsEncrypt is a great idea, but the overall implementation could use some work.

  3. Christoph Silver badge

    Very common type of error. Go to next user. Add address to email, send email. Loop.

    The error being of course to not clear out the existing addresses as the first operation in the loop. Or possibly to loop back to the statement after the clear out.

    1. Phil O'Sophical Silver badge

      No, the error was not testing it on dummy data before using it on their actual user base.

      1. Doctor Syntax Silver badge

        "No, the error was not testing it "

        No. Both were errors.

  4. Anonymous Coward
    Anonymous Coward

    I feel slightly vindicated now, when I set up LetsEncrypt I decided not to provide an email address. I monitor certs for expiration anyway, so the notification email should never trigger

  5. Mark 85 Silver badge

    Am I misunderstanding this.. wouldn't the first people emailed, get copies of all the emails sent after them?

    1. Old Handle

      No... err yes, you are misunderstanding. It said they mistakenly prepended the list of addresses to the body of the email. Goodness only knows why the softwere was set up to do that, but at least the means the first people on the list didn't get 7000+ copies.

      1. Mark 85 Silver badge

        Thanks. I wasn't quite sure but you cleared it up.

  6. Bob Dole (tm)

    No biggie

    Sounds like this wasn't really a big deal. I mean, all those email addresses are likely already in an advertisers database anyway.

  7. Glenn 6

    Well, at least it's only the email addresses of people who signed up for basically a software beta.

    Coulda been a lot worse, at least it wasn't something embarrassing like Ashley Madison.

    Oh, wait..

  8. Aodhhan Bronze badge

    You do get what you pay for, especially when it's free.

    This will not be the last time something happens with this company.

    Not to say this company doesn't have some talented people working for it; however, since their revenue isn't as high as other CA's, they aren't likely to pay their people as well. Which means they're more likely to fill many more positions with people who don't have much talent or experience. You know where this is going.

    For individual users, not a big deal... as long as you aren't storing a bunch of embarrassing things. For companies... it's another story.

  9. 101

    Borked again....

    I got the email saying my address was borked, but not the email that caused it all.

    This gets so tiresome getting your data routinely stolen or in this case given away. I would say it's happening about twice per year now, and likely more because every leak is likely not reported or admitted. Meanwhile, if you try to protect your stuff, you get tagged as paranoid or not "with it".

    THEY should do something about this, but THEY are too busy slurping data themselves.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019