Even when email addresses should be hidden because of global settings, it is possible to retrieve email addresses of all the users in the system by (mis)using search in people directory.

It seems that the email address is one of the attributes that are being indexed by the search engine. So if one searches for "j*@*" he will see users with email address matching this expression listed in the search result. If this user iteratively tries to add another letter after "j", e.g. "jo*@*" and keeps on tuning the expression based on the search results, he can find out the whole email address for e.g. user Joe, which is joe_doe@yahoo.com

This process can be automated using a script and it should be theoretically possible to retrieve all the email addresses for all users in a matter of minutes.

Suggested fixes:
1) don't index email addresses if the "hide email addresses" setting is on
2) index only the part of the email address that is before @. e.g. for email address joe_doe@yahoo.com, index only joe_doe