Let’s Encrypt leaks 3.125 email addresses

First of all, I absolutely love Let’s Encrypt. It’s a very easy way to protect a website. All WordPress.com websites are protected with an SSL certificate from Let’s Encrypt as well. I received an e-mail this morning from Let’s Encrypt about their new Subscriber Agreement. Above the message, there is a big list with 3.125 e-mail addresses including my own e-mail address. Looks like they forgot to put those email addresses in the BCC of the email. The e-mail was sent from the Let’s Encrypt mailservers because the SPF record is valid: Authentication-Results: spf=pass (sender IP is smtp.mailfrom=mandrillapp.com;

Dear Let’s Encrypt Subscriber,

We’re writing to let you know that we are updating the Let’s Encrypt Subscriber Agreement, effective June 30, 2016. You can find the updated agreement (v1.1) as well as the current agreement (v1.0.1) in the “Let’s Encrypt Subscriber Agreement” section of the following page:


Thank you for helping to secure the Web by using Let’s Encrypt.

We’re talking about a Certificate Authority here! Hopefully they’ll protect the SSL certificates in a better way.

UPDATE: Official statement from Let’s Encrypt.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s