This week's sweep of security and privacy news includes two eyebrow-raising items before the main story: contractors working for Meta posed as kids and teenagers to test how chatbots such as Gemini and ChatGPT responded to prompts about high-risk topics like suicide, sex and drugs, and a researcher found a way to use Anthropic's Claude Opus 4.7 to break into the ticketing website of Front Gate and generate tickets to almost any major American music festival, including Lollapalooza and Bonnaroo. But the story generating the most concern this week is a flaw in one of Apple's flagship privacy tools, one that has apparently been exposing real email addresses for at least a year.
A Privacy Tool That Wasn't So Private
Apple launched Hide My Email back in 2021 as part of its privacy push, letting people sign up for websites and apps using a randomly generated address instead of their real one. Messages sent to that throwaway address are quietly forwarded to the user's actual inbox, so companies never see the real email in the first place.
That premise fell apart this week when it emerged that a bug in the system has let people's genuine email addresses be uncovered while they use the tool, and has apparently allowed this for at least a year without being fixed. Security researcher Tyler Murphy, who says he discovered the flaw in June 2025, put it bluntly: "Apple Hide My Email is leaking email addresses that are supposed to be hidden." He added that "in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable."
The precise mechanics of the vulnerability have not been made public because it still hasn't been patched. In tests, a freshly generated Hide My Email address, the kind that ends in @icloud.com, could be traced back to the real email address of the person who created it. Murphy says he first flagged the issue to Apple last summer and was told by March this year that it had been "addressed." When he kept testing anyway, the flaw was still exploitable, and a couple of months ago Apple told him it was still looking into it. Apple has not commented publicly on the matter.
Alleged Scattered Spider Hacker Sent to Face US Justice
A 19-year-old has been extradited to the United States to answer charges over his alleged role in the Scattered Spider hacking network, the Department of Justice announced this week. Peter Stokes, who holds Estonian and American citizenship, was arrested in Finland in April and now faces charges of computer intrusion, conspiracy and fraud tied to the group.
Prosecutors allege that Stokes and other members of the loosely organized hacking collective broke into an unnamed luxury jewelry retailer and demanded an $8 million cryptocurrency ransom in May 2025. The retailer refused to pay, but the Department of Justice says it still ended up spending $2 million dealing with the fallout of the breach. Scattered Spider is widely believed to be made up largely of young, English-speaking teenagers, and its members have caused chaos at dozens of companies worldwide in recent years. Stokes' arrest comes soon after two British members of the group, Thalha Jubair and Owen Flowers, pleaded guilty to hacking Transport for London in 2024, an intrusion that caused millions of dollars in damage.
India Pushes Back on WhatsApp's Username Plan
WhatsApp is preparing to roll out usernames to its billions of users, following a similar move by the encrypted messaging app Signal last year. The feature would let people message each other using a chosen username instead of handing over their phone number, adding an extra layer of privacy.
But officials in India, one of WhatsApp's largest markets and a government that has previously pushed to weaken encryption on the Meta-owned app, are objecting to the change. A letter from the Indian government asked WhatsApp to pause the username rollout in the country, arguing that it could fuel fraud and cybercrime by letting people stay anonymous online. Similar letters were separately sent to Signal and Telegram over their own use of usernames.
When License Plate Cameras Get It Wrong
Automatic license plate reader cameras, known as ALPRs, have spread rapidly across the United States in recent years. Police departments, cities and even private businesses now deploy them to photograph passing vehicles and log details about their movements, including the license plate number, the time and location of the photo, the make and model of the car, and even bumper stickers. The result is a set of databases holding billions of images and records of car movements.
A growing body of evidence shows that when these systems get it wrong, innocent people end up detained and accused of crimes they had nothing to do with. A review of court records and media reports by the nonprofit Institute for Justice found at least 24 cases of misidentification over the past eight years, and the group believes that number is likely just the tip of the iceberg. Among the cases: a couple with a baby in their car were detained at gunpoint, grandparents were stopped after a camera misread the letter "O" as the number "0," and one driver was pulled over simply because their license plate hadn't been removed from a wanted list after the case was resolved. These incidents add to a lengthening list of errors tied to the AI-powered cameras.













