Nick Biasini, Alex Chiu, Jaeson Schultz, and Craig Williams write:
In mid-2013, a problem occurred that slowly began unmasking the hidden registration information for owners’ domains that had opted into WHOIS privacy protection. These domains all appear to be registered via Google App [1], using eNom as a registrar. At the time of writing this blog, there are 305,925 domains registered via Google’s partnership with eNom. 282,867 domains, or roughly 94% appear have been affected [2]. (Google reports that new domains which have not faced a renewal period are not affected and many businesses do not opt into their privacy service.) The information disclosed included full names, addresses, phone numbers, and email addresses for each domain. The information was leaked in the form of WHOIS records.
Read more on Cisco Blogs.
Over on Ars Technica, Dan Goodin adds a response from Google:
A Google spokesman said the bug resided in the way Google Apps integrated with Enom’s domain registration program interface. It was reported through Google’s Vulnerability Rewards Program. The spokesman said the root cause has been identified and fixed.