Hacker News new | past | comments | ask | show | jobs | submit login
GitHub just leaked 3032 email addresses
23 points by robinson-wall on March 19, 2013 | hide | past | favorite | 9 comments
In the last few minutes I've been receiving emails from GitHub with "Company name, your GitHub Enterprise license expires (today|in x days)", each with 3032 email addresses in the 'To:' field.

I just hope that I don't end up getting all 3k emails.

Just got an update through:

    This morning a routine email was accidentally sent to many of our GitHub Enterprise customers. In these errant emails, customer email addresses were included in the To: field, making them visible to anyone who received the message.

    We have stopped the remaining messages in the email batch from being sent, and are investigating how this happened.

    We are very sorry that your email address was accidentally shared. Your GitHub Enterprise installation is unaffected, and no license keys or any other data were exposed during this incident.

    We are investigating the root cause of this email issue and will update our blog with our findings.
    Again, we are very sorry this happened. Your privacy is very important to us and we will be making changes to ensure that this does not happen again.

    If you have any further questions please email us at support@github.com

While unprofessional and insecure, things like this can happen even in the best development teams.

To whoever got access to this list, practice responsible disclosure and please don't publish the emails.

Does anyone want to hit "reply" and ask how it has happened? :P

I think you mean "reply all".

Even so, it would make more sense to put all the addresses in a mass email in the BCC field. Regardless of if they are enterprise clients or not. Keeping contacts safe and secure should be a requirement.

That's the thing - each email seems to be tailored for the company receiving it, it wasn't a one-shot to all on a list.

It feels kind of like the wrong variable was used for To when looping through generating the day's license expiration emails.

I also got this email. It's a list composed of their enterprise contacts.

Got this mail too, opened up a ticket with them.

I also got these emails. Nice work, Github.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact