A politician in The European Parliament’s PEGA Committee, set up to investigate spyware abuses including the notorious Pegasus malware, was attacked by Pegasus itself, according to new research findings published this week. Meanwhile, Google’s senior security staff warned this week that proposals for pro-competition rules in the EU could make Google Search and Android systems
A politician in The European Parliament’s PEGA Committee, set up to investigate spyware abuses including the notorious Pegasus malware, was attacked by Pegasus itself, according to new research findings published this week. Meanwhile, Google’s senior security staff warned this week that proposals for pro-competition rules in the EU could make Google Search and Android systems vulnerable to hacking and other abuses.
A WIRED investigation revealed this week that Meta contractors posed as children and teenagers to see how chatbots like Gemini and ChatGPT responded to prompts about high-risk topics, including suicide, sex and drugs.
And one researcher realized he could use Anthropic’s Claude Opus 4.7 to log into Front Gate’s website and issue tickets to almost any music festival in the United States, including Lollapalooza and Bonnaroo.
But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.
In 2021, Apple launched its Hide My Email tool, which, as the name suggests, allows people to sign up for online services using an email address that is not directly linked to them. The privacy feature generates “unique random email addresses” that will forward incoming messages to a user’s personal email address, reducing the amount of information you need to hand over to companies.
A report from 404 Media this week revealed that a vulnerability in the system has made it possible, for at least a year, for people’s real email addresses to be discovered when they use Apple’s privacy service. “Apple Hide My Email is leaking email addresses that are supposed to be hidden,” security researcher Tyler Murphy, who discovered the flaw in June 2025, told the publication. “In our limited testing with volunteers, 100% of Hide My Email addresses were exploitable,” he said.
The exact details of the vulnerability and how it works have not been revealed as the issue has not been fixed. In tests conducted by 404 Media and Murphy, it was possible to link a newly created Hide My Email address, which uses the domain @icloud.com, to the real email address of its creator. Murphy said he originally reported the issue to Apple last summer and was told it had been “fixed” in March of this year. However, when the researcher continued testing the issue, it remained exploitable, and Apple told Murphy a couple of months ago that it was still investigating the issue. Apple did not respond to the publication’s requests for comment.
A nineteen-year-old man has been arrested and extradited to the United States to face charges for his alleged involvement in the notorious Scattered Spider hacking group, the Department of Justice (DoJ) announced this week. Peter Stokes, an Estonian-American citizen, was arrested in Finland in April and charged with computer intrusion, conspiracy and fraud, linked to the criminal gang.
Stokes, along with other members of the flexible hacking collective, allegedly hacked an unnamed “luxury jewelry retailer” and demanded a ransom of $8 million in cryptocurrency in May 2025. The company did not pay, but still spent $2 million in the incident, according to a press release from the Department of Justice. In recent years, the Scattered Spider group, believed to be largely made up of young English-speaking teenagers, has wreaked havoc around the world by hacking and disrupting dozens of companies. Stokes’ arrest comes after two British members of Scattered Spider, Thalha Jubair and Owen Flowers, recently pleaded guilty to hacking Transport for London in 2024 and causing millions in damage.
Following a move by encrypted messaging app Signal last year, WhatsApp announced it will soon roll out usernames for billions of people. The option means people can connect and message each other without having to share phone numbers, increasing privacy protection. However, officials in India, one of WhatsApp’s largest markets, who previously attempted to roll out encryption protections on the Meta-owned app, have opposed the introduction of usernames. A letter from the Indian government, seen by Reuters, asked WhatsApp to pause the rollout of usernames in the country. The letter claimed the move could increase fraud and cybercrime, citing concerns about allowing anonymity online. The letter was followed by separate messages to Signal and Telegram about the use of usernames.
In recent years, thousands of automatic license plate reading cameras, known as ALPR, have appeared throughout the United States. The cameras, which can be used by police, cities and businesses, photograph passing cars and record details about their movements. In addition to license plate numbers, systems can record the time and location of photographs, the make and model of a vehicle, as well as bumper stickers. Billions of images and details of car movements have been captured in vast ALPR databases.
However, growing evidence shows that when camera systems make mistakes, law enforcement authorities can arrest innocent people and charge them with crimes. A review of court records and media reports, likely the tip of the iceberg, conducted this week by the nonprofit Institute for Justice found at least 24 cases of misidentification over the past eight years. They reportedly include a couple with a baby in their car who was detained at gunpoint; a camera misinterpreted an “O” as a “0,” leading to the grandparents’ arrest; and someone detained after his license plate was not removed from a wanted list. The findings add to a growing list of errors with AI-enabled cameras.
Keep following us for the latest insights.















