Indeed it increases the risk of being hacked, i also oppose the bounty managers for doing this. They should need to hide the details of participants so no one can trace the ids.
Can you tell which campaign is doing this ? I have not seen any signature campaign doing this so far from different campaign mangers in signature campaigns which are paying in bitcoins. It sounds really surpassing because there is actually no need of email for payment.
Mostly the bounty managers who are using different bounty portals ask for the signup on portal by using email, and those emails are then added in the spreadsheet as user id to reward the user accordingly.