On May 29, 2018, we sent out an email to 77 subscriber email addresses notifying them that an old version of software on their server was sending excessive traffic to Let’s Encrypt. Because of the relatively small set of subscribers we needed to notify, an engineer drafted the email to be sent and sent it to that list of addresses. Instead of pasting the list of addresses into the BCC field as intended, that engineer pasted the list of addresses into the To field, disclosing the list of email addresses to each recipient.
We noticed the error immediately and replied with everyone moved to BCC in order to avoid an accidental reply-all thread, however, each of the subscribers still has a copy of the original email that CC’s the others.
Our current policy allows for email sent to small numbers of subscribers such as this to be sent by individual engineers. Emails sent to larger numbers of subscribers are sent via an automated system. We will be modifying our policy to require peer review for any email sent to multiple subscribers.