Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Let’s Encrypt Exposes User Email Addresses

Server Bug Exposes Email Addresses of 7,618 Let’s Encrypt Users

Server Bug Exposes Email Addresses of 7,618 Let’s Encrypt Users

Thousands of Let’s Encrypt users saw their email addresses being exposed this Saturday, when the open certificate authority (CA) started sending a notification to active subscribers.

Backed by the Electronic Frontier Foundation (EFF) and numerous large Internet and tech companies, Let’s Encrypt is a project aimed at bringing encryption to all areas of the Internet. It provides website owners with free certificates, in an attempt to encourage them to transition to HTTPS to ensure a secure communication between their sites and users’ browsers.

Because of a server glitch, when Let’s Encrypt started sending out emails to its users on June 11 to inform them of an update to its subscriber agreement, the automated system used for that mistakenly prepended email addresses to the body of the message. Because of this issue, recipients could see the email addresses of other subscribers.

Let’s Encrypt ISRG Executive Director Josh Aas explains that the bug was discovered after 7,618 emails were sent, and that the automated system was stopped at that point. He also explains that, because the bug was discovered early, only 1.9% percent of Let’s Encrypt’s subscribers who provided an email address were impacted by the issue.

He also explained that each new message contained the addresses of all previous recipients. “Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones,” Aas reveals.

Given that around 383,000 users subscribed to the open CA’s newsletter, the impact of the glitch could have been much bigger. Aas also appealed to those who accidentally received the email addresses of other users not to post them publicly.

As some of the Let’s Encrypt subscribers who started discussing the issue on the CA’s community forums suggest, the culprit might be the Mandrill transactional email platform from MailChimp. The CA was using this service to send the email notifications and the glitch might have either emerged from the communication between Let’s Encrypt and Mandrill, or from the service itself.

According to Aas, the CA is currently investigating the incident and will post more details on the matter soon. “We take our relationship with our users very seriously and apologize for the error. We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again. We will update this incident report with our conclusions,” he said.

Let’s Encrypt issued its first digital certificate in September last year and entered public beta in December. The CA shed the beta tag in early April 2016, one month after it issued its millionth certificate. In May, EFF announced that the Let’s Encrypt client Certbot was launched in beta.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.