Google Accidentally Leaked 283,000 Website Owners’ Personal Details

Google has accidentally leaked about 283,000 website owners’ personal details in 2013 and it was only discovered two years later.

Reports said the fault first appeared back in mid-2013 but it has only recently been discovered and fixed.

The error was identified by security researchers at Cisco.

Craig Williams, senior technical leader for Cisco’s Talos research group who discovered the issue, said he stumbled across the problem last month while doing research on domains associated with malware.

vulnerability affects websites registered via Google Apps for work, using the registrar eNom.

The privacy breach involves whois, a database that contains contact information for people who have bought domain names.

The owners of the websites in question had all opted into “WHOIS privacy protection,” which means owners can elect to make information private, often by paying an extra fee. So if someone WHOISes — or queries — the website, the personal details of the individual who registered it are hidden.

Nearly 306,000 websites domains were registered this way but Cisco found that 282,867 or 94% of them have had their personal details unmasked due to a fault in Google’s code.

A Google software problem inadvertently exposed the names, addresses, email addresses and phone numbers used to register websites after people had chosen to keep the information private.

Williams said the data will make it easier for cybercriminals to draft phishing emails that try to trick victims into divulging information or clicking on malicious links.

Cisco first discovered the issue on February 19, 2015, two years after the fault first arose. After Google was notified, the search giant then fixed it around a week later, and notified customers on Friday.

In a notice, Google blamed a “software defect.”

It is unclear how many customers seeking anonymity were unmasked as a result of the error.

Williams said the damage will be long lasting, even if the privacy protections are back in place. Changes to whois records are immediately recorded by many people and organizations, including security companies.

Google Accidentally Leaked 283,000 Website Owners’ Personal Details