It was just discovered that Google leaked the personal data from almost 280,000 websites registered through its Google Apps For Work service since 2013, according to Ars Technica. The leak was revealed in a blog post by Cisco Systems researchers. Unlike most leaks, which are deliberate hacks at weak points in database security, this data was just made available to anyone who searched for it in the WHOIS directory, the public database of registered domains.
The leak was caused by a bug in Google’s software, which started revealing personal data of domains that renewed their registered in mid-2013, including names, phone numbers, and physical addresses. While that data is made public by default, the Apps For Work service–a suit of tools for enterprise clients–offered an optional $6-per-year feature that would hide that data and store it with the registrar eNom, a Google partner. 94 percent of the 305,925 domains registered had bought the annual privacy feature, but the software bug caused the data to become public once a domain was renewed–which, as the below infographic provided in the Cisco security researchers’ report shows, included almost all registered domains by late 2013:
The Cisco Systems researchers noted in their post that the leaked data will be available online permanently, since many services archive it. As Ars Technica points out, some of the data–filled out when registering a domain–is likely falsified, but enough could be collected and analyzed for patterns to point to real people. Unfortunately, that optional $6-per-month security service likely gave some users false confidence, and may have led them to share more personal data than they would have otherwise.
According to Ars Technica, Cisco’s Talos Security Intelligence and Research Group discovered the bug on February 19 and five days later, the leak was plugged. While this data wasn’t spit out to the masses and publicized like previous data leaked by hackers, this software oversight is alarming, especially since it went unnoticed for nearly two years.
Update: A Google spokesman reached out to share this statement:
“A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps’ integration with the Enom domain registration API. We identified the root cause, made the appropriate fixes, and we’re communicating with affected Apps customers. We apologize for any issues this may have caused.”
[via Pando Daily]