Apple Hide My Email Service Fails to Keep Email Private

▼ Summary
– A European Parliament PEGA Committee member was targeted with Pegasus spyware, according to new research.
– A vulnerability in Apple’s Hide My Email tool has allowed real email addresses to be uncovered for at least a year, with Apple still investigating.
– Nineteen-year-old Peter Stokes was arrested and extradited to the US for alleged involvement in the Scattered Spider hacking group.
– WhatsApp will roll out usernames to increase privacy, but the Indian government has opposed the move, citing fraud concerns.
– Automatic license plate reader cameras have caused at least 24 cases of misidentification in the last eight years, leading to innocent people being detained.
A member of the European Parliament’s PEGA Committee, a body formed to investigate spyware abuses including the notorious Pegasus malware, was himself targeted with the very same surveillance tool, according to fresh research released this week. Separately, senior security staff at Google warned that proposed EU pro-competition regulations could leave Google Search and Android systems vulnerable to hacking and other exploitation.
A WIRED investigation also uncovered that Meta contractors posed as minors to test how chatbots like Gemini and ChatGPT respond to high-risk prompts covering suicide, sex, and drugs. Meanwhile, a researcher discovered he could use Anthropic’s Claude Opus 4.7 to breach the website of Front Gate and generate tickets for nearly any U. S. music festival, including Lollapalooza and Bonnaroo.
But that’s not all. Each week, we compile the security and privacy stories we didn’t cover in depth. Click the headlines for full details, and stay safe.
Back in 2021, Apple introduced its Hide My Email feature, which lets users sign up for online services with an email address not directly tied to them. The privacy tool creates “unique, random email addresses” that forward messages to a user’s real inbox, minimizing the data shared with companies.
However, reporting from 404 Media this week revealed a vulnerability in the system that has, for at least a year, allowed people’s actual email addresses to be exposed while using Apple’s privacy service. “Apple Hide My Email is leaking email addresses that are supposed to be hidden,” security researcher Tyler Murphy, who discovered the flaw in June 2025, told the outlet. “In our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” he added.
The exact mechanics of the vulnerability remain undisclosed because the issue has not been resolved. In tests conducted by 404 Media and Murphy, a newly created Hide My Email address using the @icloud.com domain could be traced back to the creator’s real email. Murphy said he reported the problem to Apple last summer and was told it had been “addressed” by March of this year. But when he continued testing, the flaw persisted. Apple then told Murphy a couple of months ago that it was still investigating. Apple did not respond to requests for comment from the publication.
A 19-year-old has been arrested and extradited to the United States on charges related to their alleged involvement in the notorious Scattered Spider hacking group, the Department of Justice announced this week. Peter Stokes, an Estonian-U. S. dual citizen, was arrested in Finland in April and faces charges of computer intrusion, conspiracy, and fraud linked to the criminal gang.
Prosecutors allege that Stokes and other members of the loose hacking collective broke into an unnamed “luxury jewelry retailer” in May 2025 and demanded an $8 million cryptocurrency ransom. The company refused to pay but still incurred $2 million in costs from the incident, according to a DoJ press release. In recent years, Scattered Spider, largely believed to consist of young, English-speaking teenagers, has disrupted dozens of businesses worldwide. Stokes’ arrest follows two British Scattered Spider members, Thalha Jubair and Owen Flowers, who recently pleaded guilty to hacking Transport for London in 2024 and causing millions in damages.
Following a similar move by encrypted messaging app Signal last year, WhatsApp has announced it will soon roll out usernames to billions of users. The feature allows people to connect and message each other without sharing phone numbers, boosting privacy protections. However, officials in India, one of WhatsApp’s largest markets, who have previously tried to undermine encryption on the Meta-owned app, oppose the introduction of usernames. A letter from the Indian government, seen by Reuters, asked WhatsApp to pause the rollout in the country. The letter claimed the change could increase fraud and cybercrime, citing concerns about online anonymity. The letter was followed by separate messages to Signal and Telegram regarding their use of usernames.
Thousands of automatic license plate reader cameras, or ALPRs, have appeared across the United States in recent years. Deployed by police, cities, and businesses, these cameras photograph passing cars and record details about their movements. Beyond license plate numbers, the systems log the time and location of photos, the vehicle’s make and model, and even bumper stickers. Billions of images and vehicle movement records have been stored in vast ALPR databases.
Yet a growing body of evidence shows that when these camera systems make mistakes, innocent people can be detained by law enforcement and accused of crimes. A review of court records and media reports, likely just the tip of the iceberg, by the nonprofit Institute for Justice this week found at least 24 cases of misidentification over the past eight years. These include a couple with a baby in their car being detained at gunpoint, a camera misreading an “O” as a “0” leading to grandparents being detained, and someone being pulled over after their license plate was not removed from a wanted list. The findings add to a mounting list of errors from AI-enabled cameras.
(Source: Wired)


