A researcher at Cisco’s Talos security group recently discovered a bug that caused some Google Apps customers to have their personal information leaked via WHOIS domain listings for more than a year. Google Apps is a popular service these days, so in this case “some” means 282,867. So hundreds of thousands of customers thought they had domain privacy turned on, but a problem with Google’s partner registrar eNom broke privacy settings. Google has fixed the problem, but what a mess.

According to Cisco, the issue began in mid-2013 when a change in the way eNom processed domain renewals started affecting customers. When a domain was initially registered, WHOIS privacy worked correctly. However, when domains were renewed, domain privacy stopped working even if customers selected it. Talos checked 309,925, and found that 94 percent of them were affected by the glitch — basically everyone who selected domain privacy in a previous billing cycle.

The problem, of course, is that WHOIS information is public. For a company that has a business address this isn’t a big deal, but many individuals use their home address. You can go right now to any of a multitude of websites and enter a domain name to find out who owns it. The only exception is when the domain owner has used WHOIS privacy to mask their personal information. Instead of the owner’s actual name, address, email, and other data, you see a generic corporate placeholder. Most domain registrars force customers to specifically request WHOIS privacy, and many actually charge a premium for it. eNom was asking $6 per year to enable this feature.

Talos notified Google of the error on February 19th following responsible disclosure procedures. This was obviously a goldmine of personal information that spammers and other internet villains would love to get their hands on. Even a few bits of personal information can make spam and phishing attacks much more effective. Google acknowledged the report within hours and set to work investigating, Talos provided additional information several days later, and by the following week Google had confirmed Talos’ observations and fixed the problem. After enabling privacy once again, Google notified customers yesterday and gave Talos the all-clear to disclose publicly.

So that’s where we are now — the WHOIS database for Google Apps customers with domains registered through eNom has been fixed. However, that data was on the open Internet and is still out there. Anyone with a cached copy of WHOIS databases from a few weeks ago would have access to the leaked information. Google has apologized to the affected customers, but that will be cold comfort to those who must now deal with the potential consequences of having their personal details leaked on the internet.