It has all started on early Wednesday with a harmless request from a businessman from North Carolina to the Homeland Security Department. The man has simply responded to a daily antiterrorism bulletin, by asking it be sent to another email address. The businessman has asked this thing because he switched jobs and has wanted the daily report be sent to his new email address. However, by the afternoon of the same day, more than 2.2 million messages have been already flooding the Internet revealing highly sensitive private email data. How could something like that happen?

The United States’ security officials and the military personnel have found their email information spread all over the Internet because of a programming flaw that has involved the “reply” function. The Department of Homeland Security mailing list has got apparently misconfigured and has begun routing any reply that someone sent to another member on the list to every subscriber from the same mailing list. Furthermore, the mailing list has been configured in such way so that it could reveal the email addresses of all of the senders; so the names and all the contact details of hundreds and hundreds of list members have been exposed. Among these members one could find, obviously, government workers, private experts on domestic security and other people working in critical infrastructure positions.

The Department of Homeland Security’s Daily Open Source Infrastructure Report mailing mistake has been reported only about nine hours later, when it has been already too late. The mistake has provided the phishers an important of data that they could use for their future attacks.