Have you ever wondered how hackers get your email address? They use many tricky methods, but thanks to security researchers Brutecat and Nathan, they can’t use your YouTube account to find them. The researchers notified Google that a YouTube security flaw could expose billions of email addresses and open them to phishing attacks.
How YouTube Almost Put Your Inbox At Risk
When you create an account with a Google service like YouTube, the company automatically assigns your account a unique identifier called a Google Accounts and ID Administration (GAIA) number to anonymize your information and protect your privacy. However, Brutecat and Nathan found a flaw in Google’s API that undermined this protection. They discovered that when a YouTube user tried to block someone in Live Chat, clicking on the three-dot icon to block also triggered a request to reveal the user’s GAIA number.
Revealing this information is a problem since these numbers were never intended to be publicly available. Once the researchers discovered that they could access them, they wanted to see if they could uncover more information using them. They were successful, which escalated the vulnerability into a major security risk with potentially far-reaching implications.
They created and shared a recording to a GAIA number using the now-obsolete Pixel Recording App. Naming the file with 2.5 million characters ensured the user didn’t receive a notification that someone had shared a file with them. This clever method allowed them to convert the GAIA number into an email address.
Theoretically, hackers could exploit this YouTube security flaw to collect billions of user emails. This poses a significant risk for businesses: any employee using a work email on YouTube could expose the company to phishing attacks and data breaches.
Stop Phishing Attacks on Your Business
Brutecat and Nathan’s discovery thwarted a potential security disaster, but the incident should remind you that even the most popular and trusted platforms can have security flaws. Although nothing suggests the flaw exposed anything other than email addresses — and it doesn’t appear to have compromised passwords or other authentication information or that any hackers exploited it to launch cyberattacks — the situation highlights the importance of teaching employees about phishing threats.
Phishing attacks are the number one source of data breaches, costing businesses millions of dollars annually. If your business isn’t providing regular cybersecurity training, it could be vulnerable to previously undiscovered issues like the YouTube security flaw. Reiterate the danger and remind your employees:
- To set strong passwords and use multifactor authentication when possible.
- To watch for signs of a phishing email, like misspellings, unusual sender addresses, and urgent requests.
- To confirm unexpected messages or requests with the sender in person or by phone.
- To never click links from unknown senders.
- To report suspicious messages to IT security for further review.
The best defense remains an email security system that scans every message and blocks anything suspicious before it reaches your employees’ inboxes. But no system is perfect, so keep your team informed.
