Ask Runable forDesign-Driven General AI AgentTry Runable For Free
Runable
Back to Blog
Technology7 min read

Security Roundup: Apple’s Hide My Email Service Fails to Hide Your Email | WIRED

Plus: Alleged Scattered Spider hacking member extradited, dozens of license plate reader errors, and Indian officials are concerned about WhatsApp’s username...

securityapplecybersecurityeurope
Security Roundup: Apple’s Hide My Email Service Fails to Hide Your Email | WIRED
Listen to Article
0:00
0:00
0:00

Security Roundup: Apple’s Hide My Email Service Fails to Hide Your Email | WIRED

Overview

Security Roundup: Apple’s Hide My Email Service Fails to Hide Your Email

A politician on the European Parliament’s PEGA Committee—created to investigate spyware abuses, including of the notorious Pegasus malware—was targeted with Pegasus himself, according to new research findings released this week. Meanwhile, top Google security staff warned this week that the pro-competition rule proposals in the EU could make Google Search and Android systems vulnerable to hacking and other abuse.

Details

proposals in the EU could make Google Search and Android systems vulnerable

A WIRED investigation revealed this week that Meta contractors posed as kids and teens to see how chatbots like Gemini and Chat GPT responded to prompts about high-risk subjects, including suicide, sex and drugs.

And a researcher realized that he could use Anthropic’s Claude Opus 4.7 to break into the website of Front Gate and issue tickets to almost any United States music festival, including Lollapalooza and Bonnaroo.

issue tickets to almost any United States music festival

But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Apple’s Hide My Email Service Fails to Hide Your Email

Apple’s Hide My Email Service Fails to Hide Your Email

Back in 2021, Apple launched its Hide My Email tool, which as the name suggests, allows people to sign-up for online services using an email address that isn’t linked directly to them. The privacy feature generates “unique, random email addresses” that will forward incoming messages to a user’s personal email address—reducing the amount of information you need to hand over to companies.

Reporting from 404 Media this week revealed that a vulnerability in the system has made it possible, for at least a year, for people’s real email addresses to be uncovered when they are using Apple’s privacy service. “Apple Hide My Email is leaking email addresses that are supposed to be hidden,” security researcher Tyler Murphy, who discovered the flaw in June 2025, told the publication. “In our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” he said.

The exact details of the vulnerability and how it works have not been revealed as the problem hasn’t been fixed. In tests conducted by 404 Media and Murphy, it was possible for a newly created Hide My Email address, which uses the @icloud.com domain, to be linked back to the real email address of its creator. Murphy said he originally reported the problem to Apple last summer and was told it had been “addressed” by March this year. However, when the researcher continued testing the issue, it remained exploitable, with Apple telling Murphy a couple of months ago that it was still investigating the issue. Apple did not respond to requests for comment from the publication.

Alleged Scattered Spider Member Extradited To Face US Charges

Alleged Scattered Spider Member Extradited To Face US Charges

A nineteen-year-old has been arrested and extradited to the United States to face charges over their alleged involvement in the notorious Scattered Spider hacking group, the Department of Justice (Do J) announced this week. Peter Stokes, an Estonian-US dual citizen, was arrested in Finland in April and has been charged with computer intrusion, conspiracy and fraud, linked to the criminal gang.

It is alleged that Stokes, along with other members of the loose hacking collective, hacked into an unnamed “luxury jewelry retailer” and demanded a

8millioncryptocurrencyransominMay2025.Thecompanydidnotpaybutstillspent8 million cryptocurrency ransom in May 2025. The company did not pay but still spent
2 million on the incident, according to a Do J press release. In recent years, the Scattered Spider group, which is largely believed to be composed of young, English-speaking teenagers, has caused havoc around the world by hacking into and disrupting dozens of businesses. The arrest of Stokes follows two British Scattered Spider members, Thalha Jubair and Owen Flowers, recently pleading guilty to hacking Transport for London in 2024 and causing millions in damages.

India Threatens Whats App Over Introduction of Usernames

India Threatens Whats App Over Introduction of Usernames

Following a move by encrypted messaging app Signal last year, Whats App has announced it will soon roll out usernames to billions of people. The option means it is possible for people to connect and message each other without having to share phone numbers, increasing privacy protections. However, officials in India, one of Whats App’s biggest markets, who have previously tried to unfurl encryption protections on the Meta-owned app, have opposed the introduction of usernames. A letter from the Indian government, seen by Reuters, asked Whats App to pause the rollout of usernames in the country. The letter claimed the move could increase fraud and cybercrime, citing concerns around allowing online anonymity. The letter was followed by separate messages to Signal and Telegram about their use of usernames.

License Plate Reader Errors Are Getting Innocent People Stopped By Cops

License Plate Reader Errors Are Getting Innocent People Stopped By Cops

Thousands of automatic license plate reader cameras, known as ALPRs, have appeared across the United States over the last few years. The cameras, which can be deployed by cops, cities, and businesses, photograph passing cars and record details about their movements. As well as license plate numbers, the systems can log the time and location of the photos, make and model of a vehicle, as well as bumper stickers. Billions of images and details of car movements have been captured in vast ALPR databases.

However, an increasing body of evidence shows that when the camera systems make mistakes, innocent people can be detained by law enforcement officials and accused of crimes. A review of court records and media reports, which are likely the tip of the iceberg, by the nonprofit the Institute for Justice this week found at least 24 cases of misidentification over the last eight years. These reportedly include a couple with a baby in their car being detained at gunpoint; a camera misreading an “O” as a “0”, leading to grandparents being detained; and someone being pulled over after their license plate was not removed from a wanted list. The findings add to a growing list of errors from the AI-enabled cameras.

In your inbox: Inside WIRED’s newsroom with Katie Drummond

In your inbox: Inside WIRED’s newsroom with Katie Drummond

Trump mocked Zuckerberg and Bezos by showing off fawning texts

Trump mocked Zuckerberg and Bezos by showing off fawning texts

Apple is making your older i Phone run faster and stay alive longer

Apple is making your older i Phone run faster and stay alive longer

WIRED event: Pepsi Co’s once-in-a-generation transformation

WIRED event: Pepsi Co’s once-in-a-generation transformation

Key Takeaways

  • Security Roundup: Apple’s Hide My Email Service Fails to Hide Your Email

  • A politician on the European Parliament’s PEGA Committee—created to investigate spyware abuses, including of the notorious Pegasus malware—was targeted with Pegasus himself, according to new research findings released this week

  • proposals in the EU could make Google Search and Android systems vulnerable

  • A WIRED investigation revealed this week that Meta contractors posed as kids and teens to see how chatbots like Gemini and Chat GPT responded to prompts about high-risk subjects, including suicide, sex and drugs

  • And a researcher realized that he could use Anthropic’s Claude Opus 4

Cut Costs with Runable

Cost savings are based on average monthly price per user for each app.

Which apps do you use?

Apps to replace

ChatGPTChatGPT
$20 / month
LovableLovable
$25 / month
Gamma AIGamma AI
$25 / month
HiggsFieldHiggsField
$49 / month
Leonardo AILeonardo AI
$12 / month
TOTAL$131 / month

Runable price = $9 / month

Saves $122 / month

Runable can save upto $1464 per year compared to the non-enterprise price of your apps.