Apple’s Hide My Email privacy feature has a problem with the one job implied by its name: hiding an email address. 404 Media reported that a vulnerability in the service can expose the real email address behind an Apple-generated relay address.
Security researcher Tyler Murphy, who found the flaw in June 2025, told 404 Media that the service was leaking addresses that were meant to stay private. In tests with volunteers, Murphy said every Hide My Email address tested could be exploited. That is a small test set, and the technical details remain undisclosed, but the claim is direct enough to make anyone using the feature wince.
Apple launched Hide My Email in 2021 as part of its privacy tooling. The feature creates random email aliases that forward messages to a user’s personal inbox. The point is to let someone sign up for an app, newsletter, store, or other service without handing over an address that can be tied to them across the web.
According to 404 Media, the bug has made it possible for at least a year to connect a newly generated Hide My Email address on the @icloud.com domain to the real email address of the person who created it. Murphy and 404 Media tested the issue together. They did not publish the method because, according to the report, Apple has not fixed the problem.
Murphy told 404 Media that he reported the issue to Apple last summer. Apple later told him the matter had been addressed by March of this year, according to the report. Murphy kept testing and said the weakness still worked. A couple of months ago, Apple told him it was still investigating, 404 Media reported. Apple did not respond to the publication’s request for comment.
For users, the risk is plain: a relay address that was supposed to limit data sharing may instead become a lookup path to the inbox they were trying to keep out of other people’s databases. That undercuts the privacy bargain Apple sold with the feature, especially for people who used it with services they did not fully trust.
Other security developments
WIRED also reported that a politician on the European Parliament’s PEGA Committee, which was created to investigate spyware abuse including Pegasus, was himself targeted with Pegasus, according to new research findings released this week.
Top Google security staff warned that European Union pro-competition proposals could expose Google Search and Android systems to hacking and abuse, according to WIRED. Those warnings are Google’s claims, and they arrive in the middle of a fight over how much dominant platforms should be forced to open up.
A WIRED investigation found that Meta contractors posed as children and teenagers while testing how chatbots including Gemini and ChatGPT responded to prompts involving suicide, sex, and drugs.
Separately, a researcher found he could use Anthropic’s Claude Opus 4.7 to break into Front Gate’s website and issue tickets to nearly any United States music festival, including Lollapalooza and Bonnaroo, WIRED reported.
The US Department of Justice announced that Peter Stokes, a 19-year-old Estonian-US dual citizen, was arrested in Finland in April and extradited to face charges tied to alleged Scattered Spider activity. Prosecutors allege Stokes and others hacked a luxury jewelry retailer and demanded an $8 million cryptocurrency ransom in May 2025. The company did not pay, but spent $2 million responding to the incident, according to the DOJ.
Reuters reported that India asked WhatsApp to pause its planned username rollout in the country, citing a government letter that claimed usernames could increase fraud and cybercrime. The government also sent messages to Signal and Telegram about usernames, Reuters reported.
The Institute for Justice said it found at least 24 cases over eight years in which automatic license plate reader mistakes led to innocent drivers being stopped, detained, or otherwise misidentified by police.
This story draws on original reporting from WIRED.