Security Roundup: Apple’s Hide My Email Service Failed to Hide Your Email

The politician is open The European Parliament’s PEGA Committee—created to investigate spyware abuses, including the infamous Pegasus malware—was targeted by Pegasus itself, according to a new study released this week. Meanwhile, Google’s top security staff warned this week that proposed EU competition rules could make Google Search and Android apps more vulnerable to hacking and other abuse.
A WIRED investigation revealed this week that Meta’s contractors posed as children and teenagers to see how chatbots like Gemini and ChatGPT responded to information about high-risk topics, including suicide, sex and drugs.
And the researcher realized that he could use Anthropic’s Claude Opus 4.7 to hack the Front Gate website and extract tickets to almost any music festival in the United States, including Lollapalooza and Bonnaroo.
But wait, there’s more! Each week, we cover security and privacy issues that we haven’t covered in depth ourselves. Click on the headlines to read the full stories. And stay safe there.
Back in 2021, Apple introduced its Hide My Email tool, which, as the name suggests, allows people to sign up for online services using an email address that is not directly linked to them. The privacy feature generates “unique, random email addresses” that will forward incoming messages to a personal email address—reducing the amount of information you need to provide to companies.
Reporting from 404 Media this week revealed that a vulnerability in the system has, for at least a year, exposed people’s real email addresses when they use Apple’s privacy service. “Apple Hide My Email leaks email addresses that should be hidden,” security researcher Tyler Murphy, who discovered the flaw in June 2025, told the publication. “In our limited tests with volunteers, 100% of Hide My Email addresses were usable,” he said.
The exact details of the vulnerability and how it works have not been disclosed as the problem has not been fixed. In tests conducted by 404 Media and Murphy, it was possible for a newly created Hide My Email address, which uses the @icloud.com domain, to be linked to the original email address of its creator. Murphy said he initially reported the problem to Apple last summer and was told it had been “resolved” in March of this year. However, as the researcher continued to explore the issue, it remained viable, with Apple telling Murphy a few months ago that it was still investigating the issue. Apple did not respond to requests for comment from the publication.
A nineteen-year-old boy has been arrested and extradited to the United States to face charges for his alleged involvement in the notorious Scattered Spider hacking group, the Department of Justice (DoJ) announced this week. Peter Stokes, a dual Estonian-US citizen, was arrested in Finland in April and charged with computer hacking, conspiracy and fraud, related to a criminal group.
It is alleged that Stokes, along with other members of a loose hacking group, hacked an unnamed “luxury jewelry retailer” and demanded an $8 million cryptocurrency ransom in May 2025. The company did not pay but still spent $2 million on the incident, according to a DoJ press release. In recent years, the Scattered Spider group, believed to be mostly made up of English-speaking youths, has caused havoc around the world by robbing and disrupting dozens of businesses. Stokes’ arrest follows two members of the British Scattered Spiders, Thalha Jubair and Owen Flowers, recently pleading guilty to robbing London transport in 2024 and causing millions in damage.
After the move on the encrypted messaging app last year, WhatsApp has announced that it will soon release the usernames of millions of people. The option means that it is possible for people to communicate and send messages without sharing phone numbers, increasing privacy protection. However, officials in India, one of WhatsApp’s biggest markets, which has previously tried to open up encryption protections in the Meta-owned app, oppose the introduction of usernames. A letter from the Indian government, seen by Reuters, has asked WhatsApp to stop releasing usernames in the country. The letter says the move could increase fraud and cybercrime, citing concerns about allowing anonymity online. The letter was followed by separate messages to Signal and Telegram regarding their use of usernames.
Thousands of automatic license plate reader cameras, known as ALPRs, have appeared across the United States in the past few years. The cameras, which can be deployed by police, cities and businesses, capture passing vehicles and record information about their movements. Along with license plate numbers, the systems can record the time and location of photos, the make and model of the vehicle, and bumper stickers. Billions of images and details of vehicle movements are captured in ALPR’s massive database.
However, mounting evidence shows that when cameras go wrong, innocent people can be arrested by law enforcement officials and charged with crimes. A review of court records and media reports, which may be the end of the story, by the nonprofit Institute for Justice this week, found at least 24 cases of wrongful identification over the past eight years. These are said to include a couple with a child in their car, tied up and held at gunpoint; a camera that misreads “O” as “0”, leading to the grandparents’ arrest; and a person who is pulled over after their license number is not removed from the wanted list. The findings add to the growing list of errors from AI-enabled cameras.



