[c0llision]

I don't think hashes of email addresses are very secure. You can get all of the email addresses from the smtp logs. There are also massive email lists out there that the attacker could run the hashes against, like the adobe leak. Email addresses typically follow specific formats, such as firstname.lastname@gmail.com, and would be quite easy to bruteforce/dictionary attack. If the hashes were to ever leak, easily >95% would be cracked, especially if they are using single-round SHA512.

[3np]

Sure, there's no silver bullet and the author never claimed it's perfectly secure (is there such a thing?). But this is definitely an improvement - it clearly limits exposure.

To successfully do a brute-force the attacker would also need the salt, which means that the database by itself will not yield any e-mail addresses.

[yobert]

Another benefit isn't a security one, but a user-friendliness one: This forces all emails to your users to be initiated by them in some way, which limits future business decisions about sending email by automated processes. Good for users, but may be bad for business.

[sroussey]

Also, possibly illegal. If you have a data breach, you must contact your users.

Probably better to use encryption with public / private keys.