This weekend the Wikimedia Foundation was notified by an outside security expert that they had discovered public access to what was intended to be a private mailing list. External access to the mailing list was immediately disabled, and our Office IT team began assessing which other private mailing lists may have been publicly accessible. The two mailing lists we ultimately found to have been publicly accessible for a period of time had been and are utilized by Wikimedia Foundation staff as intake email addresses to facilitate processing of the now-deprecated Project & Event Grants (PEG) program and the current Project Grants program.
We have no indication that the emails were accessed and misused by third parties. However, we will shortly be contacting everyone who interacted with these lists to provide them with more specific information about how they may have been affected, and recommend precautionary steps they may wish to take. Multiple departments within the Foundation are also reviewing potential internal procedural changes to prevent future incidents, and sharing additional information on secure mailing list management with the staff.