Skip to content ↓ | Skip to navigation ↓

Google accidentally exposed hidden WHOIS records for more than 280,000 protected domains registered through its Google Apps for Work feature.

Cisco security researchers reported the issue on Thursday, stating a bug in the Google Apps domain renewal system had led to the public disclosure of hundreds of thousands of private information, including registrants’ names, physical addresses, email addresses and phone numbers.

According to the group of security researchers, the 282,867 domains affected account for 94 percent of the 305,000 domains registered through Google’s partnership with the domain name registrar eNom. For an additional $6 per year, users are offered a service called ID Protect to maintain all personal information included in their WHOIS records private.

However, in mid-2013 the Google Apps flaw began unmasking users who had opted for this privacy protection feature after a domain registration was renewed.

The chart below demonstrates the drastic shift in domains utilizing privacy protection to those with WHOIS information exposed, explained the security researchers:

Source: Cisco Talos

“At its peak, at least 90% of the domains registered were utilizing privacy protection which plummeted to less than 1%.”

Google addressed the issue less than one week after being notified of the flaw on February 19, and alerted affected customers earlier this week.

“We identified the root cause, made the appropriate fixes, and we’re communicating with affected Apps customers. We apologize for any issues this may have caused,” said a Google spokesperson.

Nonetheless, Cisco researchers warned the information leakage exposed the affected customers to a number of possible threats, including phishing scams and identity theft.

“The reality of this WHOIS information leak is that it exposed the registration information of hundreds of thousands of registration records that had opted into privacy protection without their knowledge or consent to the entire Internet,” read the blog post.

“This information will be available permanently as a number of services keep WHOIS information archived,” said the security researchers.