As many as 40,000 addresses, presumably those of petitioners, may be affected.
by Dan Goodin - Apr 3, 2015http://cdn.arstechnica.net/wp-content/uploads/2015/04/change-dot.org-email-leak-640x281.png
Online petitions service Change.org has a website bug that's disclosing as many as 40,000 e-mail addresses that presumably belong to current or former subscribers.
The disclosure bug was active at the time this post was being prepared and is exploitable using the search box provided on the site or via Google or Bing. The number of results returned ranged from 40,000 to 65,000, although not every result included an e-mail address. Still, a large number of them returned pages like the one above, which Ars has redacted out of fairness to the affected e-mail user.
Full Article