The setting wasn't actually misconfigured. It was just, well, the code was written with a different privacy regime in mind, before GDPR was a thing. Local wiki admins could change emails for users if SocialProfile was enabled -- which means they could also view the email. If you're running a single-site wiki, this makes sense. For a wiki farm, it's kind of a misfeature, as wiki admins are not website staff.
Only wiki admins and bureaucrats got to see the email address, and only for users with an account on that site. So pretty much, the people who had the most access to private data on Miraheze are all people who read this thread. Largest wikis, and all. (I'm the only Miraheze staff, so I'm allowed to see it, but the rest of you, not so much.) So in terms of it being an actual breach... is anyone here using email addresses they saw from SocialProfile? Since you all have a tendency to ask for CheckUser, I'm thinking not.
3884 users may have been affected in the worst case, though no one had access to the whole set. Split about 3 ways with verified email, unverified email, and empty email field (may have been deleted). My best guess at any actual information being seen is less than 100 times, and that information being used or recorded outside Miraheze is near zero. We have no evidence that anyone was actually compromised, but our logs don't go back to the time our privacy policy was enacted.
Only wiki admins and bureaucrats got to see the email address, and only for users with an account on that site. So pretty much, the people who had the most access to private data on Miraheze are all people who read this thread. Largest wikis, and all. (I'm the only Miraheze staff, so I'm allowed to see it, but the rest of you, not so much.) So in terms of it being an actual breach... is anyone here using email addresses they saw from SocialProfile? Since you all have a tendency to ask for CheckUser, I'm thinking not.
3884 users may have been affected in the worst case, though no one had access to the whole set. Split about 3 ways with verified email, unverified email, and empty email field (may have been deleted). My best guess at any actual information being seen is less than 100 times, and that information being used or recorded outside Miraheze is near zero. We have no evidence that anyone was actually compromised, but our logs don't go back to the time our privacy policy was enacted.
"Kitto daijoubu da yo." - Sakura Kinomoto