A Google software issue revealed that the whois database containing the contact information for people who own domain names has exposed names, addresses, email addresses and phone numbers used to register Web sites. This happened after people paid a fee to keep the information private.
Google issued this statement: A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps’ integration with the Enom domain registration API. We identified the root cause, made the appropriate fixes, and communicated this with affected Apps customers. We apologize for any issues this may have caused."
Craig Williams, senior technical leader for Cisco's Talos research group, who discovered the issue, explains in a post that the data will make it easier for cybercriminals to draft phishing emails that try to trick victims into divulging information or clicking on malicious links.
"At the time of writing this blog, there are 305,925 domains registered via Google's partnership with eNom [and] 282,867 domains, or roughly 94% appear have been affected," William wrote.
Williams said that Google reports the new domains that have not faced a renewal period are not affected and many businesses do not opt into their privacy service.
"A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps’ integration with the Enom domain registration API," said a Google spokesperson. "We identified the root cause, made the appropriate fixes, and communicated this with affected Apps customers. We apologize for any issues this may have caused."
While some domain owners choose to keep the information private for the wrong reasons, such as unscrupulous activity, others do so for legitimate reasons.
"The obvious risk is that some of these individuals who have been unmasked may now be in some form of danger as a result of their connection with the domain registration," Williams wrote. "Additionally, threat actors may use domain registration information for malicious purposes. For example, sending targeted spear phish emails containing the victim’s name, address, and phone number to make the phish seem even more authentic. As eNom points out, identify theft is also a possibility."
Google partners with registrars like eNom to let people register domain names. In fact, the company recently paid $25 million for the rights to use the .app top-level Web domain name, allowing others to provide a Web service to companies who want to launch a Web site.