Security: email addresses of subscribers are public to all users

Today I recognized I can open the list of subscribers of other blogs (not just mine) and see all email addresses. Example:

h t t p s : / /

I’m obviously not @ekenemoses and should not be able to see the email addresses of his subscribers. I should not have access to this page at all, just to mine subscribers.

EDIT: I got to the subscriber page via a Google search! So actually it is very easy to find all subscribers of all blogs at with a Google search and harvest the email addresses with a script.

1 Like

Let’s ping @help

Seems to be an urgent privacy matter!
I can confirm this happens for any user when logged in.
Email address and followers harvesting.
Anyone with a account can harvest the subscribers and followers from any blog by simply changing the username in the url.

Oh wow! I thought I could see my subscribers because I’m already signed in with my phone and desktop. I think this puts subscribers at risk and they may opt to unsubscribe if they ever come across it on the internet. Thank you @McPringle for bringing this up.

Please block access to the subscribers and followers pages. This is a GDPR and privacy violation, I don’t want the to have to close down due to a potential fine.
Can anyone please reach out to matt on the fediverse as well?

I sent an email to

Really sorry for this issue – it was fixed earlier this morning. Note that while it existed, only logged-in users were able to access these pages.

@McPringle, in the future you need to report security vulnerabilities to us privately, via normal support email, as others did. While this was indeed a severe issue, publicizing the information like this makes the situation more unsafe by encouraging others who didn’t previously know about it to exploit it.


Thank you for fixing @matt !

1 Like

You are right, I’m sorry. I wasn’t thinking about it, this was my first report of a security incident. Will do it better next time! :slight_smile:

No worries :slightly_smiling_face: Thanks again for reporting.