The addresses of these people were included in an email that was sent to a number of people by DFAT's consular operations section that deals with COVID-19.
The Guardian quoted the message as saying that interest-free loans were available to those who had been stranded.
The email went out to batches of travellers with about 500 email addresses visible in the cc field.
We apologise for unintentionally disclosing email addresses of stranded Australians we’re trying to help get home. No other personal information was disclosed. We want to get you home, and are working as hard as we can to do so.— DFAT?? (@dfat) September 30, 2020
Commenting on the screw-up, Nick Lennon, country manager for email security provider Mimecast ANZ, said: "With Cybersecurity Awareness Month kicking off today, this is a timely reminder that more than 90% breaches are the result of human error.
"In most cases, when an organisation’s employees are part of a security incident or breach it is because they have been compromised by a malicious outsider without their knowledge or they have made an honest mistake and leaked sensitive information accidentally.
"Technology as one layer of defence is great, but it’s only one coat of paint. Organisations need to increasingly adopt a left hand, right hand approach. Technology in one hand, regular awareness training in the other.
"People will always make mistakes, but a couple of steps can help minimise these mistakes, damage to organisations and stress on the individual."
Jacqueline Jayne, security awareness advocate for KnowBe4 APAC, said: “For those of us in the cyber security world, the DFAT email bungle is not a surprise. Human error accounts for approximately 90% of successful cyber attacks.
"In this situation, while the matter was completely unintentional, it is still a serious incident that can have serious ramifications for the email recipients."
She said cyber criminals would now get their hands on the list of addresses through social engineering, adding that there were now more than a thousand opportunities to find it with dark web contacts.
"Then they would develop a well-crafted email to send out to these people with a seemingly legitimate offer on how they could get back home for a fraction of the current prices (which by the way are ridiculously high), ensuring the call to action is compelling and seemingly legitimate," Jayne said.
"While not everyone on the email list will fall for this trickery, there will be some that will because they always do."
She said criminals would then register a fake domain name and put up a very official looking Web site to support criminal endeavours and maximise returns and include this link in the email.
The next step would be to cross-check all the emails on their database for already compromised email, send their email and sit back and wait for the bait to catch the fish and look for victims on social media platforms to plan an approach there as well (as many people probably use this email to log into their social media accounts).