{
  "type": "article",
  "title": "Apple's Anonymous Email Trick Turns Out Not So Anonymous, Plus Four More Security Stories This Week",
  "summary": "A year-old flaw in Apple's Hide My Email tool is exposing users' real addresses, while an alleged Scattered Spider hacker faces extradition, India pushes back on WhatsApp usernames, and license plate camera errors keep landing innocent drivers in police custody.",
  "content": "This week's sweep of security and privacy news includes two eyebrow-raising items before the main story: contractors working for Meta posed as kids and teenagers to test how chatbots such as Gemini and ChatGPT responded to prompts about high-risk topics like suicide, sex and drugs, and a researcher found a way to use Anthropic's Claude Opus 4.7 to break into the ticketing website of Front Gate and generate tickets to almost any major American music festival, including Lollapalooza and Bonnaroo. But the story generating the most concern this week is a flaw in one of Apple's flagship privacy tools, one that has apparently been exposing real email addresses for at least a year.\n\nA Privacy Tool That Wasn't So Private\nApple launched Hide My Email back in 2021 as part of its privacy push, letting people sign up for websites and apps using a randomly generated address instead of their real one. Messages sent to that throwaway address are quietly forwarded to the user's actual inbox, so companies never see the real email in the first place.\n\nThat premise fell apart this week when it emerged that a bug in the system has let people's genuine email addresses be uncovered while they use the tool, and has apparently allowed this for at least a year without being fixed. Security researcher Tyler Murphy, who says he discovered the flaw in June 2025, put it bluntly: \"Apple Hide My Email is leaking email addresses that are supposed to be hidden.\" He added that \"in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable.\"\n\nThe precise mechanics of the vulnerability have not been made public because it still hasn't been patched. In tests, a freshly generated Hide My Email address, the kind that ends in @icloud.com, could be traced back to the real email address of the person who created it. Murphy says he first flagged the issue to Apple last summer and was told by March this year that it had been \"addressed.\" When he kept testing anyway, the flaw was still exploitable, and a couple of months ago Apple told him it was still looking into it. Apple has not commented publicly on the matter.\n\nAlleged Scattered Spider Hacker Sent to Face US Justice\nA 19-year-old has been extradited to the United States to answer charges over his alleged role in the Scattered Spider hacking network, the Department of Justice announced this week. Peter Stokes, who holds Estonian and American citizenship, was arrested in Finland in April and now faces charges of computer intrusion, conspiracy and fraud tied to the group.\n\nProsecutors allege that Stokes and other members of the loosely organized hacking collective broke into an unnamed luxury jewelry retailer and demanded an $8 million cryptocurrency ransom in May 2025. The retailer refused to pay, but the Department of Justice says it still ended up spending $2 million dealing with the fallout of the breach. Scattered Spider is widely believed to be made up largely of young, English-speaking teenagers, and its members have caused chaos at dozens of companies worldwide in recent years. Stokes' arrest comes soon after two British members of the group, Thalha Jubair and Owen Flowers, pleaded guilty to hacking Transport for London in 2024, an intrusion that caused millions of dollars in damage.\n\nIndia Pushes Back on WhatsApp's Username Plan\nWhatsApp is preparing to roll out usernames to its billions of users, following a similar move by the encrypted messaging app Signal last year. The feature would let people message each other using a chosen username instead of handing over their phone number, adding an extra layer of privacy.\n\nBut officials in India, one of WhatsApp's largest markets and a government that has previously pushed to weaken encryption on the Meta-owned app, are objecting to the change. A letter from the Indian government asked WhatsApp to pause the username rollout in the country, arguing that it could fuel fraud and cybercrime by letting people stay anonymous online. Similar letters were separately sent to Signal and Telegram over their own use of usernames.\n\nWhen License Plate Cameras Get It Wrong\nAutomatic license plate reader cameras, known as ALPRs, have spread rapidly across the United States in recent years. Police departments, cities and even private businesses now deploy them to photograph passing vehicles and log details about their movements, including the license plate number, the time and location of the photo, the make and model of the car, and even bumper stickers. The result is a set of databases holding billions of images and records of car movements.\n\nA growing body of evidence shows that when these systems get it wrong, innocent people end up detained and accused of crimes they had nothing to do with. A review of court records and media reports by the nonprofit Institute for Justice found at least 24 cases of misidentification over the past eight years, and the group believes that number is likely just the tip of the iceberg. Among the cases: a couple with a baby in their car were detained at gunpoint, grandparents were stopped after a camera misread the letter \"O\" as the number \"0,\" and one driver was pulled over simply because their license plate hadn't been removed from a wanted list after the case was resolved. These incidents add to a lengthening list of errors tied to the AI-powered cameras.\n\nWhat this means for you\n• In India: if the government succeeds in delaying WhatsApp's username rollout, Indian users will keep having to share their phone number to message people for now, and the feature may reach India later than other markets.\n• For Apple users: if you've ever used Hide My Email to sign up on a website, your real email address may not be as hidden as you assumed.\n• For US drivers: errors by license plate reader cameras can lead to innocent people being detained, so it's worth knowing you can challenge a wrongful stop tied to outdated or misread plate data.\n\nQuestions & Answers\n\n1. What does Apple's Hide My Email feature do?\nIt gives users a randomly generated email address so they can sign up for services without sharing their real one, and messages sent to that address are forwarded to their actual inbox.\n\n2. How long has this flaw existed?\nSecurity researcher Tyler Murphy discovered it in June 2025, but the flaw has apparently been exploitable for at least a year.\n\n3. Has Apple fixed the issue?\nNo, Apple told the researcher a couple of months ago that it was still investigating, and the company has not commented publicly.\n\n4. Who is Peter Stokes?\nHe is a 19-year-old Estonian-US dual citizen arrested in Finland in April and extradited to the United States on charges tied to the Scattered Spider hacking group.\n\n5. How much ransom did Scattered Spider demand from the jewelry retailer?\nThe group demanded an $8 million cryptocurrency ransom in May 2025; the retailer didn't pay but still spent $2 million dealing with the breach.\n\n6. Why is India objecting to WhatsApp's username feature?\nThe Indian government fears that the anonymity usernames provide could increase fraud and cybercrime, so it has asked WhatsApp to pause the rollout.\n\n7. How many people have been affected by license plate reader errors?\nThe Institute for Justice found at least 24 cases of misidentification over the past eight years, and believes the real number is likely higher.\n\n8. What kinds of mistakes have ALPR cameras made?\nIn one case a couple with a baby were detained at gunpoint, in another a camera misread the letter O as the number 0 and stopped grandparents, and one driver was pulled over because his plate hadn't been removed from an old wanted list.",
  "url": "https://trendkia.com/en/security/apple-ki-gumanama-imela-suvidha-men-sendha-satha-men-isa-haphte-ki-chara-aura-bari-saibara-sikyoriti-khabaren-4666",
  "category": "Security",
  "publishedAt": "2026-07-04",
  "tags": [
    "Apple Hide My Email",
    "Cybersecurity",
    "Scattered Spider hacking",
    "WhatsApp usernames",
    "license plate camera",
    "data privacy"
  ],
  "language": "en",
  "site": "TrendKia"
}