
Pretty common
I've seen bigger vendors make this same mistake: IBM, to name one. The New York State security notification list I'm on has made this same gaffe multiple times in the last 6 months. I have the email thread where they promise it won't happen again and then include the multiple emails from them where it did shortly after that...