Vaultwiki sent out an email and exposed a whole bunch of email addresses.

[maryx]

Are you people nuts? I just got an an email from you with this subject header
VaultWiki Security Update: October 14, 2014

It was to a group of maybe 50 people and YOU DIDN'T USE BCC

So, now I have all these people's email addresses and they have mine.

This is incredibly unprofessional, I am astonished.
Whoever sent this out should be fired from your company. It is too, too stupid.
It's inexcusable.

[pegasus]

We apologize for the duplicate mailing. One of the two messages that was sent out had corrupted body text, while the other contained the correct text.

From what I understand, these two mails only went out to a small number of users. The first one repeated the Hello line in the body text multiple times with different user's display-names (usernames) in each line, rather than containing the appropriate security notice. This mailing was canceled within seconds but some users still managed to receive it. Again we apologize for this duplicate mailing.

Aside from that, our understanding is that no sensitive data was released, not even email addresses. Our mail messages are not sent as 1 mail message with users CC'd or BCC'd. Each user receives 1 email that is addressed to exactly 1 user. So there should be no risk of email addresses being shared.

The 'Hello user' line was the error that we are aware of and it only showed the site usernames of however many users received the mail before the process was killed. Site usernames are public information that can be accessed here in totality, as with other vBulletin forums: https://www.vaultwiki.org/users/list/

I have run several tests against the original faulty mail script, to make an adequate response to your inquiry and can confirm that at least in my tests, the 1 email address per 1 message rule holds true and I cannot see other email addresses in the message headers, only the duplicated display-names.

It is possible that some users had used their email address as their username. There is nothing we can do about that, unfortunately. The username is a public-facing name that other users will be able to see from time to time, and most users are aware of this when they sign up.

If you believe our understanding of the duplicate message is incorrect, please forward a copy of the message you received back to us and we will investigate the matter further.

[DragonSigh]

I received it too, but there is no e-mail addresses only a bunch of usernames. So I don't understand such aggression in the first post.