Google gaffe outs hidden whois data for almost 300,000 domains

Google Apps for Work the culprit

Google has committed an epic blunder that leaked the whois data for some 280,000 domains that were otherwise meant to be hidden and protected.

First reported by Ars Technica, 282,867 domains registered through the Google Apps for Work service saw information such as names, addresses, phone numbers and other registered details leaked out into the public domain.

Researchers working on behalf of Cisco Systems counted up the domains, which amounts to some 94% of the addresses registered to Google Apps through a partnership with registrar eNom. Under that deal customers could sign up for a $6 (around £4, or AU$7.87) per-year extra that promised to shield whois information from public view.

Information began leaking out in mid-2013 due to the software defect with Google Apps and data was made public when a domain was renewed. Cisco's Talos Security Intelligence and Research Group uncovered the flaw on February 19 and it was plugged up some five days later, almost two years after it first occurred.

Google sounds warning

Google warned Google Apps customers of the breach this week and a spokesperson confirmed to Ars Technica that the problem stemmed from the way Google Apps integrated with eNom's domain registration program interface.

Luckily much of the information contained within whois data is a mix of fake names, addresses and other data, though some of it will be genuine and some of those that protected their privacy will be understandably worried about the information publicly linking them to a certain domain.