Just email addresses?

Unfortunately I don't believe that just email addresses were compromised. I can't remember whether it was 2001 or 2002 but back then, criticalmass got righteously hacked. A slowdown in service was reported but it wasn't until many hours later when criticalmass went down that NOC figured out that the slowdown was a DDOS against one of the others to distract from the hacking attempts on criticalmass. They needn't have bothered as neither were noticed.

CS staff were told to keep quiet about the hack and it was reported as a server failure. What was even worse was there was a plaintext list of passwords on each of the cgi servers. A mass email was sent out advising people to change their passwords but leaving out why. A week later it transpired that someone had left the plaintext list on the new server in a web accessible directory so another round of emails about changing passwords went out.

All the while, noone knew that criticalmass had been hacked except staff. Nice. At least this time they are admitting to the hack but is there anything that management aren't admitting to?