A vulnerability on the Change.org website exposed the email addresses "a small subset” of the online petition organization's users, according to a statement by Tim Catlin, the organization's vice president of engineering.
Information on the users “could be seen publicly through the search function” on Change.org's platform, Catlin said. Those users had “previously pasted emails” from the organization into public web pages. The unsubscribe link, which contained a hashed version of the user's email address at the end of the emails, was indexed by Google.
Even though the organization makes it a best practice “to obscure or hash the email address in unsubscribe links,” that didn't preclude search engines from showing the links that ultimately exposed the email addresses.
Change.org has since disabled searching on its website, asked major search engines to clear indexed email addresses, and implemented a fix that prevents search engines from indexing unsubscribe pages.