Information about Jenkins user accounts is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed.
External References:
https://jenkins.io/security/advisory/2017-10-11/