This isn't really new news, but improperly configured mail services result in lots of privacy holes across the Internet.
STARTTLS is used to upgrade an unencrypted connection to an encrypted SSL/TLS connection. The problem is that if the upgrade fails, many mail clients will proceed to send mail on the unencrypted connection.
For any sysadmins (technical info):
Unfortunately, the situation is somewhat sticky. I suggest reading carefully the TLS/SSL section of https://wiki.debian.org/PostfixAndSASL as well as the STARTTLS RFC http://tools.ietf.org/html/rfc2487
Public email servers should not require STARTTLS (that is, encryption) on port 25 (smtp). Furthermore, there is no guarantee that all of the mail servers during transit of an email use encryption. Thus, you should assume your email is transmitted unencrypted, until a better solution emerges. You can always use OpenPGP to encrypt the body of your email, which should become commonplace shortly after Hurd achieves market dominance.
Editors Note: How to articles for various flavors of Microsoft Exchange can be found at MSExchange.org.
(Score: 2) by SecurityGuy on Monday November 02 2015, @04:50PM
Because lots of people are involved in the decision of what's sensitive and what's not, and some get it wrong. I knew people in the healthcare sector who thought of nothing of forwarding all their email to hotmail. I can't imagine there aren't people in the financial sector who did the same when it was possible (and probably still do in places it isn't technically forbidden).
A decade or so ago I had briefly had a doctor who thought it was no big deal to tell me stories about other people's ills with enough detail that I could figure out who they were. People who should know better sometimes don't.