Cloudflare Registrar just doxxed me via WHOIS on .ai TLD
I recently registered a domain with the .ai TLD through Cloudflare. Despite their claim that "WHOIS information is redacted by default for your privacy," my personal contact information was publicly exposed via WHOIS shortly after registration.
Even Cloudflare's own RDAP lookup tool (https://rdap.cloudflareregistrar.com/ui/index.html) reports that the data is redacted. However, multiple third-party WHOIS servers returned my unredacted information, and it has since been scraped and stored by historical WHOIS trackers.
I’ve saved evidence of the exposure, but there appears to be no way to retroactively remove this data from those sources. I'm currently on Cloudflare's free plan—do I really need to upgrade to a paid plan just to get this escalated or acknowledged by their support team?
Any advice or similar experiences would be appreciated.
4 Replies
Thanks for the report, and my apologies this impacted you - that really sucks.
I reproduced and raised this months ago when it was first discovered, and was assured it had been fixed and pushed for anyone impacted to be contacted about this leak of unredacted personal information. Tagging some folks for escalation, cc @rickyrobinett @rita
For those folks with access, you can see the escalation conversation here: https://canary.discord.com/channels/595317990191398933/1022981666744061972/1346906966181679206
Just received this from cloudflare support ( They let me file a ticket through their dashboard randomly, but i think its all AI agent driven):
it is true that some TLDs just don't allow this, I don't know about .ai specifically
while true, some TLDs like
.us where that is a thing, clearly state that multiple times during the checkout process, .ai does not, and I raised this months ago.
Another user seems to have hit this again fwiw as per https://x.com/raj/status/1932870382262088014, and Dane is on it. Hopefully there'll be a real resolution soon.