Israel researcher Oren Hafif of Israel disclosed details on how he was able to abuse a token exposed in a URL in order to reveal every Gmail address. His work earned him $500 through Google s bug bounty program, he said. Google has patched a vulnerability that exposes an indefinite number of Gmail addresses, a potential gold mine for phishing and advanced attacks. Email addresses have significant value to attackers because they can be used as a user name, but also because they are often used as user names.
Source: https://threatpost.com/token-abuse-exposes-gmail-addresses/106593/