Let’s Encrypt leaks 3.125 email addresses

First of all, I absolutely love Let’s Encrypt. It’s a very easy way to protect a website. All WordPress.com websites are protected with an SSL certificate from Let’s Encrypt as well. I received an e-mail this morning from Let’s Encrypt about their new Subscriber Agreement. Above the message, there is a big list with 3.125 e-mail addresses including my own e-mail address. Looks like they forgot to put those email addresses in the BCC of the email. The e-mail was sent from the Let’s Encrypt mailservers because the SPF record is valid: Authentication-Results: spf=pass (sender IP is smtp.mailfrom=mandrillapp.com;

Dear Let’s Encrypt Subscriber,

We’re writing to let you know that we are updating the Let’s Encrypt Subscriber Agreement, effective June 30, 2016. You can find the updated agreement (v1.1) as well as the current agreement (v1.0.1) in the “Let’s Encrypt Subscriber Agreement” section of the following page:


Thank you for helping to secure the Web by using Let’s Encrypt.

We’re talking about a Certificate Authority here! Hopefully they’ll protect the SSL certificates in a better way.

UPDATE: Official statement from Let’s Encrypt.