The private email addresses for hundreds of YouTube video creators were made public this week when the Google-owned company temporarily forgot to lock down the beta sign-up form for its upcoming Fan Funding feature.
"For a short time yesterday, email addresses and channel names of creators using our Fan Funding sign up form were accessible to other creators signing up," a YouTube spokesperson told Polygon. "We fixed this mistake within an hour and apologize to those affected."
Thursday evening, YouTube announced that it was adding two new features: 60 frames per second playback and the ability for fans to directly pay video creators through the video hosting service.
A 7 p.m. tweet from YouTube Creators announced the feature and directed people interested in testing it out to sign-up on a Google Form created by YouTube.
The form required applicants to give YouTube their channel name, say whether they are part of a Multi Channel Network, note what category their channel is in and provide their contact email. The form also stated that YouTube would only use the email address to contact an applicant in connection with the Fan Funding Program.
After filling out the form and applying, the site directed users to a page that allowed them to edit their response, submit another response or "See Previous Responses."
Nick Monroe, the creator of YouTube channel PressFartToContinue, clicked on the option and was sent to an analytics page which displayed all of the email addresses submitted as well as a break down of the other answers.
"I was one of the first people to sign up, lucky enough to see the tweet from YouTube Creators seconds after it was posted," Monroe told Polygon. "After signing up and putting in my email and channel, I saw the 'See Previous Responses' link at the final page of the Sign-Up form. I clicked it out of curiosity and was shocked ... I thought it was ridiculous this information was just sitting there for anyone to use, and I thought to keep the tab open and check-in every so often that evening. To my surprise, people just kept signing up and this information was just pouring in. I copied a lot of the emails in notepad and sent a message to the people affected myself seeing that YouTube Creators wasn't going to."
Monroe provided several screenshots of the form and email addresses to Polygon for verification. At the time of this writing the option to see previous responses is no longer available. Monroe says that it appeared to have been fixed by 11 p.m. EST at which time there were about 300 emails displayed.
"This is a great example of how easy it is to make a damaging mistake in the Internet Age," Monroe said. "When security and privacy are one of the public's priorities, one small error is all it takes for something like this to happen. All YouTube Creators did was flip a switch, and everything was fixed. Every time people click a link, fill out a form, whatever they do on the Internet they should be aware of the consequences."
Daniel Figueroa, whose YouTube Channel is Digital Boundaries, said he was at work when he received an email from Monroe.
"I was at work, and received a random email notifying me of this situation," he said. "The emailer copied all he could, and even had a screenshot of the privacy breach."
Monroe recommends that anyone who signed up for the beta double check their email and enable two-step verification.
Polygon has reached out to others impacted by the breach and will update this story as they respond.
Update: This story has been updated with a statement from YouTube.