Security news moves fast. You blink. Something breaks.

This week, the European Parliament’s committee investigating spyware abuse got spied on. Yeah, that happened. A politician on the PEGA Committee, created to track Pegasus, became a target of Pegasus.

Then Google’s top security chiefs sounded the alarm. They warn that EU antitrust rules could break Google Search. Android might too. The regulators want competition. Google says the cost is safety.

Meta isn’t safe either. WIRED found out contractors dressed as teens to chat with AI. Gemini, ChatGpt. They asked about suicide, drugs, sex. The bots replied.

And in a move that makes you wonder if we’re even trying anymore, a researcher used Claude Opus 4.7. He broke into Front Gate. United States’ big festival ticket site. Lollapalooza, Bonnaroo. He issued tickets to whoever he wanted.

Usually we skip the roundup stuff. Not today. Stay safe, or try to.

Apple’s Hidden Emails Aren’t Hidden

Apple sold us a privacy dream in 2021. “Hide My Email,” they called it. Beautiful concept. Sign up for that sketchy service using a random email. Not yours. Just a proxy. It forwards messages. Keeps your real address off the record. Clean.

It’s broken.

For over a year. At least. A guy named Tyler Murphy found it back in June 2024. (Or 2025 depending on the calendar, time is fluid.) He told 404 Media that Apple is leaking real emails.

Not some. All of them.

In limited tests? 100% exploitable. Every single Hide My Email alias could be traced back to the person behind it. Murphy reported it. Apple said it was fixed. Or that it was being “addressed.” It wasn’t.

Still isn’t.

They haven’t patched it. Murphy tested it again. Same result. The @icloud.com alias links directly to the owner’s private inbox. Apple is still “investigating.” Or at least they were a few months ago.

Silence now. No comment from Cupertino.

Another Kid, Another Hack

The DOJ dragged another teenager to justice this week. Peter Stokes. Nineteen. Estonian-American dual citizen. Arrested in Finland.

He’s Scattered Spider.

You know them. Young, loud, messy. They hacked a luxury jewelry retailer last May. Demanded eight million bucks in crypto. The shop didn’t pay. Good on them. But they still spent two million cleaning up the mess.

Stokes is facing charges. Conspiracy. Fraud. Intrusion.

This follows the British pair, Thalha Jubair and Owen. They pleaded guilty earlier. Transport for London? They took down the ticketing system. Millions in damage. Just because they could.

Stokes joins them now. Facing the music. Across the pond.

India vs. Usernames

Signal started it. Now WhatsApp wants to let you hide your number too. Usernames. Just names. No phone digits attached.

India says no.

The government sent a letter to Meta. Stop. Don’t bring it here. Their argument? Fraud. Cybercrime. Anonymity is dangerous.

It’s the same old tune. They’ve been trying to break end-to-end encryption for ages. This is just the latest tactic. Signal and Telegram got similar threats.

They want to know who is talking. Even if the app says no.

Wrong Car, Right Stop

There are thousands of ALPRs everywhere now. Automatic license plate readers. Cops, cities, random businesses. All watching.

They take pictures. Every car that drives by. Time, place, make, model. Bumper stickers too. All that data piles up in some dark database somewhere.

It’s supposed to help find stolen cars. Bad guys.

Sometimes it stops the wrong guy. The algorithm errs. A misread plate sends an officer screeching around a corner toward an innocent family sedan.

It happens often. Too often.

We trade privacy for convenience. Or safety. Or just because it’s easier to let cameras do the driving while we worry about Apple emails.