Apple’s Hide My Email Flaw Exposes Real Addresses After Year of Warnings

A year-old vulnerability in Apple's Hide My Email allows attackers to uncover real user addresses behind aliases, with 100% success in tests. Reported in 2025, it remains unfixed despite Apple's claims. Users face heightened privacy risks from public records linkage.
Apple’s Hide My Email Flaw Exposes Real Addresses After Year of Warnings
Written by Juan Vasquez

Apple built a reputation on protecting user data. Its Hide My Email tool, available to iCloud+ subscribers, promised just that. Generate a random alias. Share it instead of your personal address. Receive forwarded messages without revealing who you really are. Simple. Effective. Until it wasn’t.

A security researcher found a vulnerability that lets almost anyone unmask the real email tied to those aliases. He told Apple more than a year ago. Tests showed it worked on every address tried. The company claimed fixes. They didn’t hold. Now the details are public. And users who counted on the feature for privacy face new risks.

Tyler Murphy, co-founder of EasyOptOuts, discovered the problem in June 2025. He reported it immediately, complete with replication steps. Apple confirmed the behavior wasn’t intended. Then came months of back and forth. In March 2026 the company said it had addressed the issue through a system change. Murphy checked. It hadn’t been fixed. He sent more data. Apple kept investigating. By May it asked him to hold off on public disclosure to avoid endangering customers. He waited. In late May Apple promised a security update in the coming weeks. Nothing arrived. On June 30 Murphy verified the flaw remained open. He reached out to 404 Media.

“Apple Hide My Email is leaking email addresses that are supposed to be hidden,” Murphy said. “We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.”

He added a stark warning. Free people-search sites link an exposed email to names, addresses, phone numbers and more. Anyone relying on the tool for safety could find themselves at greater risk. CNET reported the same concerns Tuesday, noting the bug allows discovery through basic identity searches available to the public.

Hide My Email forms a core part of Apple’s privacy pitch. Subscribers pay at least $1 a month for iCloud+. They can create unique, random strings, often two words and a number at icloud.com. These forward mail while Apple strips identifying headers. The company says it doesn’t read message content beyond spam checks. Messages delete from relay servers quickly. On paper it beats handing your address to every newsletter or shopping site.

Yet the vulnerability changes the math. 404 Media tested it directly. A reporter generated a fresh alias and gave it to Murphy. Minutes later Murphy returned the real Apple-linked email. In limited trials with volunteers every single address proved exploitable. One hundred percent. The publication withheld technical specifics because the bug still works. Murphy’s team at EasyOptOuts later published its own account with a full timeline, confirming two related issues and repeated failed fix verifications through June 30, 2026.

Apple did not respond to requests for comment from 404 Media, CNET or TechCrunch. That silence stands out. The company typically moves fast on reported flaws. This one lingered. Murphy even suggested Apple stop selling new Hide My Email access until resolved. The response? Continued promises of future patches.

The timing adds sting. Just last month TechCrunch revealed Apple’s plan to shift new aliases from icloud.com to private.icloud.com. The change makes it easier for websites to detect and block privacy relays at signup. Services could reject them outright or flag accounts. A tool meant to hide identity becomes easier to spot and sideline. Combined with this unpatched leak, the feature’s value shrinks further.

Users have generated hundreds of aliases. One 404 Media staffer alone created more than 400. They sign up for trials, newsletters, forums. The goal is simple. Contain spam. Limit breach exposure. Keep personal data from companies that might sell it or lose it. When the alias gets exposed, that separation collapses. The real inbox, tied to an Apple ID, sits one step away from public records databases.

Privacy advocates reacted quickly on X. Discussions highlighted the irony. Apple markets itself against data-hungry competitors yet left this gap open for over twelve months. Some users reported the bug makes them reconsider iCloud+ altogether. Others called for immediate workarounds. Disable new alias creation. Review existing ones. Monitor for suspicious activity. But without details on the exact method, concrete defenses remain limited.

EasyOptOuts urged Apple to notify all affected users, pause new alias generation and collaborate more closely on a resolution. “We want people to be able to account for this risk when deciding when and how to use Hide My Email,” the company wrote. Its guide lists every exchange date. Initial report on June 11, 2025. Follow-ups. A second similar vulnerability in July 2025. Apple’s March claim of a fix. Murphy’s independent verification it persisted. May acknowledgment of ongoing investigation. The pattern shows repeated assurances that didn’t match reality.

This isn’t Apple’s first privacy stumble. Past issues involved analytics data collection and MAC address tracking. Each time the company adjusted. Yet a paid feature marketed explicitly for email anonymity carrying an open mapping flaw for this long raises questions about internal testing and response priorities.

Industry observers note the bug doesn’t require sophisticated hacking. Public records sites do the heavy lifting once an alias maps to a real address. That accessibility broadens the threat. A disgruntled contact, a curious competitor, even automated scrapers could exploit it. And because aliases often get used for sensitive signups, the downstream exposure multiplies.

Apple’s upcoming domain shift might reduce some abuse. It could also signal internal awareness of relay detection problems. But it doesn’t solve the current leak. Nor does it restore trust for those who generated aliases under the old assumption of one-way privacy.

So far Apple has offered no public statement on the latest reports. No timeline for a patch. No guidance for subscribers. That leaves users in limbo. Continue using a tool that might not hide what it promises? Switch to third-party alias services with their own trade-offs? Or simply hand over real addresses and accept the spam and breach risks?

The episode shows how even well-intentioned privacy controls can falter without rigorous, ongoing validation. Murphy waited patiently through multiple claimed fixes. When patience ran out he chose responsible disclosure through a trusted outlet. The result forces the conversation into the open. Apple now faces pressure to act fast, communicate clearly and perhaps rethink how it validates features that millions rely on to stay hidden.

Until then, the advice from those closest to the discovery is cautious. Know the limitation. Weigh the risk. And recognize that a privacy feature is only as good as its latest test.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us