A Google software problem exposed the names, addresses, email addresses and phone numbers used to register websites after people had chosen to keep the information private. The problem, which occured in mid-2013, slowly began unmasking the hidden registration information for owners’ domains that had opted into WHOIS privacy protection. According to Craig Williams, senior technical leader for Cisco’s Talos research group who discovered the issue, these domains all appear to be registered via Google App, using eNom as a registrar. Google partners with third-party registrars to allow customers who do not already own a domain to purchase one through them to use with Google Apps.

282,867 domains, or roughly 94% of the domainsregistered via Google’s partnership with eNom appear to have been affected. The information disclosed included full names, addresses, phone numbers, and email addresses for each domain.

The information was leaked in the form of WHOIS records. WHOIS privacy protection service is a commonly used feature for asserting privacy when it comes to Internet domain name registration. Without it, registration information associated with the domain registration, such as name, physical address, email, and phone number becomes exposed to everyone on the Internet.

Recently, Google sent out the following notification to its customers:

Dear Google Apps Administrator,

We are writing to notify you of a software defect in Google Apps’ domain registration system that affected your account. We are sorry that this defect occurred. We want to inform you of the incident and the remedial actions we have taken to resolve it.

When the unlisted registration option was selected, your domain registration information was not included in the WHOIS directory for the first year. However, due to a software defect in the Google Apps domain renewal system, eNom’s unlisted registration service was not extended when your domain registration was renewed. As a result, upon renewal and from then on forward, your registration information was listed publicly in the WHOIS directory.

The reality of this WHOIS information leak is that it exposed the registration information of hundreds of thousands of registration records that had opted into privacy protection without their knowledge or consent to the entire Internet. This information will be available permanently as a number of services keep WHOIS information archived.