YouTube Bug Could Have Exposed Emails Of 2.7 Billion Users
YouTube Bug Could Have Exposed Emails Of 2.7 Billion Users
For at least four months, YouTube was vulnerable to a sneaky exploit that could have leaked the email address of any of its users — all 2.7 billion of them.
Andisearch Writeup
A security researcher known as Brutecat discovered a vulnerability that could expose the email addresses of YouTube's 2.7 billion users by exploiting two separate Google services[1][2]. The attack chain involved extracting Google Account identifiers (GaiaIDs) from YouTube's block feature, then using Google's Pixel Recorder app to convert these IDs into email addresses[^1].
To prevent notification emails from alerting victims, Brutecat created recordings with 2.5 million character titles that broke the email notification system[1]. The exploit worked by intercepting server requests when clicking the three-dot menu in YouTube live chats, revealing users' GaiaIDs without actually blocking them[2].
Brutecat reported the vulnerability to Google on September 15, 2024[1]. Google initially awarded $3,133, then increased the bounty to $10,633 after their product team reviewed the severity[1]. According to Google spokesperson Kimberly Samra, there was no evidence the vulnerability had been exploited by attackers[^2].
Google patched both parts of the exploit on February 9, 2025, approximately 147 days after the initial disclosure[^1].
[1]: [Brutecat - Leaking the email of any YouTube user for $10,000](https://brutecat.com/articles/leaking-youtube-emails) [2]: Forbes - YouTube Bug Could Have Exposed Emails Of 2.7 Billion Users
