Free certificate authority Let's Encrypt has spaffed the email addresses of up to 7,618 users to each other in an email informing them of updates to its subscriber agreement.

In a post apologising for the error, the service noted that the incident wasn't as bad as it could have been, affecting only 1.9 per cent of the 383,000 users it had intended to email.

As the announcement explained, the blooper was committed "via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email. The result was that recipients could see the email addresses of other recipients."

"Each email mistakenly contained the email addresses from the emails sent prior to it," added Let's Encrpt, "so earlier emails contained fewer addresses than later ones."

The mistake, which isn't the most severe CA issue we've seen in recent times (and on a completely unrelated note, Symantec has bought Bluecoat) is the most significant to affect the business since its open beta launch last December.

All the same, the HPE-backed Let's Encrypt stated: "We take our relationship with our users very seriously and apologize for the error. We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again. We will update this incident report with our conclusions." ®