YouTube Bug Could Have Exposed Emails of 2.7 Billion Users

A critical vulnerability in YouTube’s system could have exposed the email addresses of its 2.7 billion users, according to security researchers Brutecat and Nathan. The exploit, which leveraged flaws in Google’s GaiaID system, allowed attackers to link user IDs to email addresses. While the bug was disclosed to Google in September 2023 and promptly patched, the researchers warn that similar vulnerabilities might still exist across other Google products like GPay, Play, and Maps.

Google has since awarded the researchers a $10,000 bounty and confirmed no evidence of abuse by attackers. The exploit worked by combining two design flaws in Google’s APIs. GaiaID, a unique identifier tied to individual Google accounts, was leaked through features like YouTube’s live chat and comments API. By using the Pixel Recorder app, researchers demonstrated how a malicious actor could send an email to a victim without triggering a notification, effectively bypassing user alerts. This method, while now fixed, highlights the potential risks of linking GaiaIDs to sensitive user information across Google’s ecosystem.

With billions of users relying on Google’s services, the scale of this vulnerability is staggering. YouTube alone boasts 2.7 billion users, while Google Maps has surpassed 10 billion Android installs. Although Google has addressed the YouTube-specific issue, the researchers urge the tech giant to investigate and patch similar vulnerabilities in its other platforms to safeguard user privacy on a global scale.

Source: Forbes 2025