tl;dr: API flawz. When you created a comment with a video, you could link somebody's else video instead of yours. Then if you deleted your comment, it would delete their videos.
Not only that, but probably a polymorphism-related error? It sounds like the logic might be that dependent objects/relationships in the graph (like reply comments) were what was intended to be deleted, but links to other videos were considered dependent relationships and needed to be deleted as well.
That's a commong thing in permission / capabilities. Either the system is not expressive enough, either you get "false positives" and bounties included.
On an unrelated note, his page linked to this youtube channel that looks pretty awesome! Books animated: https://www.youtube.com/channel/UCXLesGEfmyhxqOjoAqhRwhA