Google Apps flaw exposes 280,000 domain owners' details

Google Apps for Work have been revealing confidential customer details from 280,000 domains for up to two years.

A bug in Google's software and online tools including Gmail, Calendar, Google Sheets, Docs and Slides mean that the details of those who have registered private domains on which to run their business services have had their information listed in the WHOIS database, according to Cisco.

Cisco's Talos Security Intelligence and Research Group revealed those who paid to have their details hidden were safeguarded for the first year of registration.

However, when their domains were renewed, their details were posted to WHOIS rather than being enrolled in the eNom third-party privacy provider as they expected.

Talos explained in a blog post that revealing the identities of those who have registered domains could cause criminal activity to take place.

"Threat actors may use domain-registration information for malicious purposes. For example, sending targeted spear phish emails containing the victim's name, address, and phone number to make the phish seem even more authentic," it said.

A Google spokesman confirmed Talos had uncovered the flaw.

"A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps' integration with the eNom domain registration API," the statement said.

"We identified the root cause, made the appropriate fixes, and communicated this with affected Apps customers. We apologize for any issues this may have caused."

The company confirmed the domains had returned to being private, although Talos noted some companies keep archived records of the WHOIS information so it could still be accessible in future.