Google App Accidentally Leaks Hundreds Of Thousands Of Customers’ Personal Info

Share the joy

Names, contact details, email info and phone numbers of hundreds of thousands of Google Apps domain owners have been accidentally leaked by WHOIS error, according to a post on Cisco’s official blog.

The fault according to the report, first appeared back in mid-2013, but was not discovered and fixed until recently. This means that people have been at risk for years.

The leak, which was uncovered by security researchers at Cisco, affects websites registered via Google Apps for work, using the registrar eNom, according to the Business Insider. The reports said that owners of the websites affected by the leak had opted into “WHOIS privacy protection,” which means that when someone queries the website, the personal info of the person who registered it is kept private.

305,925 websites domains were registered this way — but Cisco found that 282,867 of them (94%) have had their personal details unmasked due to a fault in Google’s code. Customers’ leaked information includes “full names, addresses, phone numbers, and email addresses.”

The service is available to users who are political bloggers or those who run a website about a hobby they are not so proud to reveal to the public or those who simply want to remain anonymous to the public. According to Business Insider, 305,925 websites domains were registered this way, but Cisco’s discovery showed that 282,867 of them have had their personal details exposed as a result of a fault in Google’s code.

In addition to the direct threat, which operators of sensitive websites may face as a result of the leak, they also run the greater risk of fraud, according to Cisco researchers. Ability to send “targeted spear phish emails containing the victim’s name address and phone number” could further expose the victims to attempts at fraud and identity theft more dangerous.

However, a Google spokesperson said the issue has been fixed, and that the company was indeed sorry for the leak:


A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps’ integration with the Enom domain registration API. We identified the root cause, made the appropriate fixes, and communicated this with affected Apps customers. We apologize for any issues this may have caused.”

Google customers had earlier received a message of apology from the company:

“Dear Google Apps Administrator,

“We are writing to notify you of a software defect in Google Apps’ domain registration system that affected your account. We are sorry that this defect occurred. We want to inform you of the incident and the remedial actions we have taken to resolve it.

When the unlisted registration option was selected, your domain registration information was not included in the WHOIS directory for the first year. However, due to a software defect in the Google Apps domain renewal system, eNom’s unlisted registration service was not extended when your domain registration was renewed. As a result, upon renewal and from then on forward, your registration information was listed publicly in the WHOIS directory.”

Share the joy

Author: Ola Ric

Ola Ric is a professional tech writer. He has written and provided tons of published articles for professionals and private individuals. He is also a social commentator and analyst, with relevant experience in the use of social media services.

Share This Post On