Lets Encrypt Email Leak Shows Flaws in Centralized Trust
Let’s Encrypt, a Free, Open source Certificate Authority, announced that they have unintentionally leaked thousands of emails in their subscriber mailing list yesterday, to those same subscribers. The organization disclosed that 7,618 emails were compromised and that the same number of users were given said emails in varying quantities as the automated email chain grew in size.
‘Minor’ Email Breach Raises Questions
The leak occurred during a mass email about a change to their subscription agreement, when an automated mailer-bot added previous recipients of the email to the body of each subsequent message in error. Each new email contained one more address than the last, meaning only those that received one of the bad emails had their address leaked, with the exception of the first and final emails on the chain. No other personal information was leaked, and there has not been a security breach of Let’s encrypt’s site or services.
This is not, unfortunately, the first security issue Let’s Encrypt has faced, as malware was found earlier this year that had been signed by the free Certificate Authority. It is important to note, however, that less than 2% of their mailing list was affected by the leak, which was addressed promptly by the nonprofit:
“We take our relationship with our users very seriously and apologize for the error. We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again. We will update this incident report with our conclusions.”
If you subscribe to the Let’s Encrypt mailing list, all you can do at present is check your inbox, shake your head, and refuse any shady solicitations from data miners and ad-serving networks. No matter how small or inconsequential this breach was, it is still emblematic of the inherent flaws in centralized trust on the web.
Thoughts on the email leak? Leave them in the Comments below!
Images Courtesy of let’s encrypt