“We are writing to notify you of a software defect in Google Apps’ domain registration system that affected your account. We are sorry that this defect occurred. We want to inform you of the incident and the remedial actions we have taken to resolve it.”
A Google Apps email notification read, alerting thousands upon thousands of website owners of a software defect that affected 280,000 domain-registered websites.
“When you first created your Google Apps account, you registered your custom domain name [site name redacted] with the DNS registrar eNom through Google. By default, you were opted into eNom’s unlisted registration service (also called a “proxy registration service”) at no charge. This means that the registration information you provided when signing up was not included in the publicly accessible WHOIS directory. The information available for a given domain in this directory depends on what details you provided during the initial registration or subsequent updates, but may have included information such as your phone number or address.
When the unlisted registration option was selected, your domain registration information was not included in the WHOIS directory for the first year. However, due to a software defect in the Google Apps domain renewal system, eNom’s unlisted registration service was not extended when your domain registration was renewed. As a result, upon renewal and from then on forward, your registration information was listed publicly in the WHOIS directory.”
In layman’s terms, for the first year, your registration was unlisted. but when your domain name was renewed, your unlisted status was not included, and your personal information that you used to register your site with was shown to the public for everyone to see your name, street address, phone number, and e-mail, which makes you a prime target for doxxing, identity theft, and phishing scams. This did not affect everyone with a Google Apps account, however. Just everyone who has had a domain registered with the eNom service for at least 2 years. As this issue popped up upon renewal of the domain registration.
The issue has since been resolved, and as a result of the breach, Google Apps are giving one free year of service to all website owners affected. “This issue is fully resolved, but we’d also like to issue a credit equivalent to your account’s one-year domain registration fee… We apologize that the Google Apps domain registration service has not lived up to the standards that you, as our customer, expect from us.” Which is a generous offer, but compared to the potential damage done, I don’t know if many are willing to risk it, or if the apology gift is of equal value to the threat caused.
When they discovered the issue it was fixed in only a manner of days. But it is worrisome that it went undetected for over a year.
What do you think of this issue? Are you one of the 280,000 sites affected by this software defect?