Security report: Apple’s Hide My Email service fails to hide your email

✨ Discover this must-read post from WIRED 📖

📂 **Category**: Security,Security / Privacy,Security / Security News,Security Roundup

✅ **What You’ll Learn**:

Political on The European Parliament’s PEGA committee — which was set up to investigate spyware abuses, including the notorious Pegasus malware — was targeted by Pegasus itself, according to new research findings released this week. Meanwhile, Google’s senior security staff warned this week that pro-competition rule proposals in the European Union could leave Google Search and Android systems vulnerable to hacking and other abuse.

An investigation by WIRED this week revealed that Meta contractors posed as children and teens to see how chatbots like Gemini and ChatGPT responded to prompts about high-risk topics, including suicide, sex and drugs.

One researcher realized he could use Anthropic’s Claude Opus 4.7 to break into the Front Gate website and issue tickets to almost any music festival in the United States, including Lollapalooza and Bonnaroo.

But wait, there’s more! Every week we round up security and privacy news that we haven’t covered in depth ourselves. Click on the titles to read the full stories. And stay safe out there.

Back in 2021, Apple launched the Hide My Email tool, which, as the name suggests, allows people to sign up for online services using an email address not directly associated with them. The privacy feature creates “random, unique email addresses” that redirect incoming messages to the user’s personal email address, reducing the amount of information they need to hand over to companies.

Reports from 404 Media this week revealed that a vulnerability in the system has, for at least a year, enabled people’s real email addresses to be discovered when they use Apple’s privacy service. “Apple Hide My Email leaks email addresses that are supposed to be hidden,” security researcher Tyler Murphy, who discovered the flaw in June 2025, told the publication. “In our limited tests with volunteers, the percentage of email addresses hidden was 100% exploitable,” he said.

The exact details of the vulnerability and how it works have not been revealed as the issue has not been resolved. In tests conducted by 404 Media and Murphy, a newly created Hide My Email address, which used the @icloud.com domain, was able to be linked back to its creator’s real email address. Murphy said he reported the issue to Apple last summer, and was told it had been “addressed” by March of this year. However, when the researcher continued testing the issue, it remained exploitable, with Apple telling Murphy two months ago that it was still investigating the issue. Apple did not respond to requests for comment from the publication.

The Department of Justice (DoJ) announced this week that a 19-year-old has been arrested and extradited to the United States to face charges for his alleged involvement in the notorious Scattered Spider hacking group. Peter Stokes, a dual Estonian-American citizen, was arrested in Finland in April and charged with computer hacking, conspiracy and fraud linked to the criminal ring.

Stokes, along with other members of the hacking collective, allegedly hacked into an unnamed “fine jewelry retailer” and demanded a ransom of $8 million in cryptocurrency in May 2025. The company did not pay but spent $2 million on the incident, according to a Justice Department press release. In recent years, the Scattered Spider group, largely believed to consist of young English-speaking teenagers, has wreaked havoc around the world by hacking and disrupting dozens of companies. Stokes’ arrest comes on the heels of two British members of Scattered Spider, Thalha Jubeir and Owen Flowers, recently pleading guilty to hacking into Transport for London in 2024 and causing millions in damages.

Following a move by encrypted messaging app Signal last year, WhatsApp announced that it will soon roll out usernames to billions of people. This option means that it is possible for people to call and message each other without having to share phone numbers, further protecting privacy. However, officials in India, one of WhatsApp’s largest markets, who had previously tried to expose encryption protection on the Meta-owned app, opposed the introduction of usernames. A letter from the Indian government, seen by Reuters, asked WhatsApp to temporarily stop releasing usernames in the country. The letter claimed that the move could increase fraud and cybercrime, citing concerns about allowing anonymity online. The letter was followed by separate letters to Signal and Telegram about their use of usernames.

Thousands of automatic license plate reading cameras, known as ALPRs, have popped up across the United States over the past few years. The cameras, which can be deployed by police, cities and companies, photograph passing cars and record details about their movements. In addition to license plate numbers, the systems can record the time and location of photos, make and model of vehicle, as well as bumper stickers. Billions of images and details of vehicle movements are captured in ALPR’s extensive databases.

However, a growing body of evidence shows that when camera systems make mistakes, innocent people can be detained by law enforcement officials and charged with crimes. A review of court records and media reports, likely the tip of the iceberg, by the nonprofit Institute for Justice this week found at least 24 cases of mistaken identity over the past eight years. These reportedly include a couple with a child in their car who were held at gunpoint; A camera misreads the letter ‘O’ as ‘0’, leading to the grandparents being detained; A person is stopped after his license plate is not removed from the wanted list. These findings add to a growing list of errors made by cameras supported by artificial intelligence.

⚡ **What’s your take?**
Share your thoughts in the comments below!

#️⃣ **#Security #report #Apples #Hide #Email #service #fails #hide #email**

🕒 **Posted on**: 1783170574

🌟 **Want more?** Click here for more info! 🌟

By

Leave a Reply

Your email address will not be published. Required fields are marked *