In a move that highlights the ongoing battle for online privacy, Google quietly patched a vulnerability in YouTube’s systems last year that could have let anyone with basic tech skills pull the email addresses of millions of monetized creators. For U.S. YouTubers who rely on the platform for their livelihoods, this flaw meant potential exposure to everything from spam campaigns to outright harassment risks that hit close to home in an era where cyber threats against public figures are on the rise.
A tweet from X.
The issue came to light through security researcher known as skull, who goes by the handle @brutecat on X. In a detailed blog post on brutecat.com, skull explained how the bug worked:
“An attacker with access to a Google account that had a channel that joined the YouTube Partner Program (over 3 million channels) can obtain the email address as well as monetization details of any other channel in the YouTube Partner Program.”
It all stemmed from an access control flaw in a YouTube Studio API endpoint called /get_creator_channels, which leaked a channel’s content owner ID. From there, a quick query to the public Content ID API meant for handling copyright disputes revealed the associated email.
Skull discovered the vulnerability on December 12, 2024, and reported it to Google’s Vulnerability Reward Program just days later. “Nice catch!” was Google’s initial response on December 17, according to the researcher’s timeline. By January 2025, the bounty panel awarded $13,337, later bumping it up to $20,000 total after recognizing the issue’s impact on high-profile domains like youtube.com. The patch rolled out on February 21, 2025, and skull went public with a full write-up on March 13, 2025.
A 55-second proof-of-concept video, shared in the original disclosure and later recirculated on X, showed just how straightforward it was. Using browser developer tools like Burp Suite, the demo navigated a partnered channel’s page, tweaked request parameters including an undocumented “include_suspended” flag and boom: the email popped up in the JSON response. No fancy hacking required, just some parameter fiddling that anyone with web dev knowledge could pull off.
For the roughly 3 million creators in the YouTube Partner Program, emails aren’t just inboxes they’re gateways to sponsorship deals, collaborations, and personal safety. Exposure could fuel targeted phishing scams, where fraudsters pose as brands for fake endorsements, or worse, doxxing that leads to real-world harassment. In the U.S., where online personalities face escalating threats from swatting incidents to identity theft this bug amplified an already tense environment. As one cybersecurity expert noted in discussions on Hacker News, the $20,000 bounty seemed “undervalued” given the potential for mass doxxing on gray markets.
Importantly, there’s no evidence of widespread exploitation before the fix. Google confirmed the patch removed leaky parameters and tightened controls, and affected creators weren’t broadly notified since abuse wasn’t detected.
This isn’t the same as the broader 2025 YouTube flaw that threatened emails for all 2.7 billion users. That one, also uncovered by skull and collaborator Nathan, chained leaks from live chat APIs and an old Pixel Recorder tool to convert internal Gaia IDs into emails. Patched around February 9, 2025, it earned about $10,633 in bounties and sparked wider privacy concerns across Google’s ecosystem. The partnered creator bug was narrower but more direct, zeroing in on monetized accounts via Studio tools.
The story bubbled up again in January 2026 when accounts like @DramaAlert and @DarkWebInformer reshared the demo video, igniting fresh reactions on X. Users expressed disbelief at the simplicity “ridiculous how easy this was,” one reply summed up while others questioned if $20,000 truly matched the risk.
“Protecting millions from easy doxxing should be worth more,”
Argued commenters, echoing broader calls for better rewards in bug hunting.
As platforms like YouTube grow, incidents like this underscore the need for stronger accountability. Independent researchers like skull play a crucial role in spotting these gaps before they turn disastrous. For creators, it’s a reminder to use dedicated emails and enable two-factor authentication. Google, for its part, continues refining its systems, but with cyber threats evolving, vigilance remains key to keeping the creator economy safe.


