Web domain owners paid EasyDNS to cloak their contact info from sight. It was blabbed via public Whois anyway

Registrar apologies as punters wait for spam tsunami

Domain name registrar EasyDNS has 'fessed up to accidentally leaking cloaked contact details for about 1,500 domain owners in Whois query results for just over 24 hours.

Those records – such as names, phone numbers, email addresses, and postal addresses – should have been kept private, and not disclosed in Whois searches, due to privacy protections requested by the domain owners.

However, between Thursday, October 25 1230 ET and Friday, October 26 1500 ET, the opposite happened, and information folks had paid to keep under seal were revealed in Whois searches. The Canadian biz notified its customers of the screw-up today, November 2.

In an email to punters, EasyDNS CEO Mark Jeftovic said the personal info was exposed by a bug in a system provided by Tucows – the second largest domain registrar in the world – which EasyDNS uses in its backend to manage domain names.

According to the boss, on Thursday, October 25, Tucows deployed some new components to prepare for the Registration Directory Services system that will replace the Whois directory system.

“Unfortunately the deployment contained a software bug, and the result was that domains with Whois privacy enabled had the underlying contact data displayed when queried via Whois during the period affected,” the email stated.

Jeftovic told The Register that about 2,400 domains with Whois privacy protections enabled were queried during the 26-hour period. This equated to about 1,500 customers who had their information disclosed in lookup results for their domain names.

What should have happened is that the queries return generic contact details for a front organization called MyPrivacyNet Ltd, masking the actual contact details for the domain-name owner. In reality, the real info slipped through into Whois lookups, giving away the identity and contact details of the owner of a particular EasyDNS-managed domain. People pay EasyDNS to keep that info under wraps for privacy reasons and to avoid spam.

Jeftovic stressed that only contact details for the domain were exposed; no passwords were leaked.

As for the risks involved from the leak, he told customers in a follow-up email: "We know from experience, the vast majority of Whois lookups are automated bots. The most likely negative outcome from this will be junk mail, junk faxes or email spam sent to your underlying contact info."


Furor rages over ICANN and Facebook's bid to publish home addresses of website owners


It appears that it was only EasyDNS punters who were affected by the bug, as Jeftovic said his biz has a unique configuration with Tucows, so it's possible this was overlooked during testing. We’ve asked Tucows for comment.

Jeftovic said that as soon as EasyDNS became aware of the issue, on October 26, it immediately shut down access to its data via Whois, and alerted Tucows.

In an email exchange with The Reg he said Tucows was “extremely responsive,” but added that the situation "obviously sucks." The contrite exec apologized to members by saying that his firm was “deeply regretful” about the incident and had made its concerns known to the vendor. We have asked Tucows for comment but there is no word as yet.

EasyDNS is also giving a $7.50 credit for all domains affected – which is the cost of its Whois privacy service – regardless of whether or not the owners had paid for it or if it was included in their service contract. Anyone who paid for Whois privacy as an add-on can contact the support team to have a refund rather than credit. ®

Updated to add

Folks covered by Europe's GDPR may have had their contact information redacted anyway, due to the privacy regulations, according to EasyDNS in a note to customers.

Similar topics

Broader topics

Other stories you might like

  • The ‘substantial contributions’ Intel has promised to boost RISC-V adoption
    With the benefit of maybe revitalizing the x86 giant’s foundry business

    Analysis Here's something that would have seemed outlandish only a few years ago: to help fuel Intel's future growth, the x86 giant has vowed to do what it can to make the open-source RISC-V ISA worthy of widespread adoption.

    In a presentation, an Intel representative shared some details of how the chipmaker plans to contribute to RISC-V as part of its bet that the instruction set architecture will fuel growth for its revitalized contract chip manufacturing business.

    While Intel invested in RISC-V chip designer SiFive in 2018, the semiconductor titan's intentions with RISC-V evolved last year when it revealed that the contract manufacturing business key to its comeback, Intel Foundry Services, would be willing to make chips compatible with x86, Arm, and RISC-V ISAs. The chipmaker then announced in February it joined RISC-V International, the ISA's governing body, and launched a $1 billion innovation fund that will support chip designers, including those making RISC-V components.

    Continue reading
  • FBI warns of North Korean cyberspies posing as foreign IT workers
    Looking for tech talent? Kim Jong-un's friendly freelancers, at your service

    Pay close attention to that resume before offering that work contract.

    The FBI, in a joint advisory with the US government Departments of State and Treasury, has warned that North Korea's cyberspies are posing as non-North-Korean IT workers to bag Western jobs to advance Kim Jong-un's nefarious pursuits.

    In guidance [PDF] issued this week, the Feds warned that these techies often use fake IDs and other documents to pose as non-North-Korean nationals to gain freelance employment in North America, Europe, and east Asia. Additionally, North Korean IT workers may accept foreign contracts and then outsource those projects to non-North-Korean folks.

    Continue reading
  • Elon Musk says Twitter buy 'cannot move forward' until spam stats spat settled
    A stunning surprise to no one in this Solar System

    Elon Musk said his bid to acquire and privatize Twitter "cannot move forward" until the social network proves its claim that fake bot accounts make up less than five per cent of all users.

    The world's richest meme lord formally launched efforts to take over Twitter last month after buying a 9.2 per cent stake in the biz. He declined an offer to join the board of directors, only to return asking if he could buy the social media platform outright at $54.20 per share. Twitter's board resisted Musk's plans at first, installing a "poison pill" to hamper a hostile takeover before accepting the deal, worth over $44 billion.

    But then it appears Musk spotted something in Twitter's latest filing to America's financial watchdog, the SEC. The paperwork asserted that "fewer than five percent" of Twitter's monetizable daily active users (mDAUs) in the first quarter of 2022 were fake or spammer accounts, which Musk objected to: he felt that figure should be a lot higher. He had earlier proclaimed that ridding Twitter of spam bots was a priority for him, post-takeover.

    Continue reading

Biting the hand that feeds IT © 1998–2022