Domain name registrar EasyDNS has 'fessed up to accidentally leaking cloaked contact details for about 1,500 domain owners in Whois query results for just over 24 hours.
Those records – such as names, phone numbers, email addresses, and postal addresses – should have been kept private, and not disclosed in Whois searches, due to privacy protections requested by the domain owners.
However, between Thursday, October 25 1230 ET and Friday, October 26 1500 ET, the opposite happened, and information folks had paid to keep under seal were revealed in Whois searches. The Canadian biz notified its customers of the screw-up today, November 2.
In an email to punters, EasyDNS CEO Mark Jeftovic said the personal info was exposed by a bug in a system provided by Tucows – the second largest domain registrar in the world – which EasyDNS uses in its backend to manage domain names.
“Unfortunately the deployment contained a software bug, and the result was that domains with Whois privacy enabled had the underlying contact data displayed when queried via Whois during the period affected,” the email stated.
Jeftovic told The Register that about 2,400 domains with Whois privacy protections enabled were queried during the 26-hour period. This equated to about 1,500 customers who had their information disclosed in lookup results for their domain names.
What should have happened is that the queries return generic contact details for a front organization called MyPrivacyNet Ltd, masking the actual contact details for the domain-name owner. In reality, the real info slipped through into Whois lookups, giving away the identity and contact details of the owner of a particular EasyDNS-managed domain. People pay EasyDNS to keep that info under wraps for privacy reasons and to avoid spam.
Jeftovic stressed that only contact details for the domain were exposed; no passwords were leaked.
As for the risks involved from the leak, he told customers in a follow-up email: "We know from experience, the vast majority of Whois lookups are automated bots. The most likely negative outcome from this will be junk mail, junk faxes or email spam sent to your underlying contact info."
Furor rages over ICANN and Facebook's bid to publish home addresses of website ownersREAD MORE
It appears that it was only EasyDNS punters who were affected by the bug, as Jeftovic said his biz has a unique configuration with Tucows, so it's possible this was overlooked during testing. We’ve asked Tucows for comment.
Jeftovic said that as soon as EasyDNS became aware of the issue, on October 26, it immediately shut down access to its data via Whois, and alerted Tucows.
In an email exchange with The Reg he said Tucows was “extremely responsive,” but added that the situation "obviously sucks." The contrite exec apologized to members by saying that his firm was “deeply regretful” about the incident and had made its concerns known to the vendor. We have asked Tucows for comment but there is no word as yet.
EasyDNS is also giving a $7.50 credit for all domains affected – which is the cost of its Whois privacy service – regardless of whether or not the owners had paid for it or if it was included in their service contract. Anyone who paid for Whois privacy as an add-on can contact the support team to have a refund rather than credit. ®
Updated to add
Folks covered by Europe's GDPR may have had their contact information redacted anyway, due to the privacy regulations, according to EasyDNS in a note to customers.