Update: A Google spokesperson says:
“A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps’ integration with the Enom domain registration API. We identified the root cause, made the appropriate fixes, and communicated this with affected Apps customers. We apologize for any issues this may have caused.”
According to Google the bug has now been fixed and future eNom domain registrations won’t experience the same issue. Customers that were affected have had their unlisted registration status restored.
Original story follows…
The company’s Talos security research team has published an advisory note on the problem which began in mid-2013 and has been unmasking the details of people who opted for WHOIS privacy protection ever since.
The researchers found that admins were affected after they renewed their private WHOIS domain registration data. They studied 309,925 domains registered through Google’s partner registrar eNom and discovered that 94 percent were affected.
A fix has now been issued to address the error but the registration records will remain available as many WHOIS lookup services keep the information they index archived.
The Talos team warns: “It’s possible to mine this information and leverage it for malicious purposes, such as spamming, spear phising or other potential forms of harassment.”
Google has sent an email to Apps admins apologising for the issue:
“Dear Google Apps Administrator,We are writing to notify you of a software defect in Google Apps’ domain registration system that affected your account. We are sorry that this defect occurred. We want to inform you of the incident and the remedial actions we have taken to resolve it.
When the unlisted registration option was selected, your domain registration information was not included in the WHOIS directory for the first year. However, due to a software defect in the Google Apps domain renewal system, eNom’s unlisted registration service was not extended when your domain registration was renewed. As a result, upon renewal and from then on forward, your registration information was listed publicly in the WHOIS directory.”
That’s likely to provide little comfort for people whose personal details are now out in the wild.