Google Apps bug revealed names, addresses, and other data about almost 300K people
Registering a domain name requires that users provide a name, email address, and other personal information. Many registrars will keep this data from the public in exchange for an annual fee. But, as Google Apps customers who used the suite with a domain registered through eNom have discovered, total privacy isn't guaranteed.
Ars Technica reports that "the way Google Apps integrated with [eNom's] domain registration program interface" created a problem which made this private data publicly available. People were paying $6 per year to have the information hidden, yet between "mid-2013" and February 24, this bug made it so anyone could see it.
Cisco researchers claim the bug affected 282,867 of the 305,925 website domains -- roughly 94 percent -- which used eNom's privacy features. This meant hundreds of thousands of people who wished to maintain their privacy had their "full names, addresses, phone numbers, and email addresses" made available to the public.
This could be a real problem. As eNom warns on its website:
In America alone, there are an estimated 9 million cases of identity theft each year and 3 trillion spam emails sent each year. Spammers and thieves can get your information through your domain name’s public record. ID Protect keeps your information safe by privatizing your domain’s entry in public records.Cisco notes that other potential problems could arise from this data's revelation:
The obvious risk here is that some of these individuals who have been unmasked may now be in some form of danger as a result of their connection with the domain registration. Additionally, threat actors may use domain registration information for malicious purposes. For example, sending targeted spear phish emails containing the victim’s name, address, and phone number to make the phish seem even more authentic.Google is said to have fixed the problem and began warning its Google Apps customers about the bug Thursday night. Yet the hundreds of thousands of people affected might still be insecure: Cisco says the information "will be available permanently" on some sites.
To add insult to injury, there's no word yet on whether eNom's customers will be refunded the $12 they spent to secure information that was made public anyway.
[illustration by Brad Jonas]