Cobalt hackers accidentally leaked a list of all their current targets in a spear-phishing campaign last week. The group sent out a mass email, but instead of including the campaign’s targets in the email’s BCC field, they added their targets’ emails in the “To:”” field. The Cobalt group let researchers know who they were targeting
Source: