Apple's Hide My Email Still Exposes Real Addresses a Year After Report

Apple has not fixed a flaw in its iCloud Hide My Email service that lets third parties recover the underlying address tied to an alias.

Apple's Hide My Email Still Exposes Real Addresses a Year After Report

*Apple has not fixed a flaw in its iCloud Hide My Email service that lets third parties recover the underlying address tied to an alias.*

The vulnerability was first reported to Apple in June 2025 by Tyler Murphy, co-founder of EasyOptOuts. Apple acknowledged the report the following month and stated it was investigating. As of early July 2026 the issue remained exploitable, according to tests conducted by 404 Media and Murphy.

Murphy supplied replication steps along with the initial disclosure. In follow-up checks with volunteers, every Hide My Email address tested proved vulnerable. 404 Media confirmed the same result using one of its own generated aliases but is withholding the precise technical details while the flaw is still active.

Murphy told 404 Media that the service “is leaking email addresses that are supposed to be hidden.” He added that the team does not know why the problem has not been resolved and chose to publish because users should be aware of the exposure.

Reactions

No additional statements from Apple appear in the reporting. The company has not disputed the existence of the issue or the timeline of the disclosure.

Why it matters

Users adopted Hide My Email precisely to keep their primary address private from services and potential attackers. When the alias can be reversed, that protection disappears without any action on the user’s part. The year-long gap between report and public notice leaves the same population exposed while Apple continues to promote the feature.

The episode also shows the limits of responsible disclosure when a vendor does not ship a fix. Once the window for private remediation closes, publication becomes the remaining lever for users to assess their risk.

---

Sources:

{
  "excerpt": "A year-old flaw in Apple's Hide My Email still lets attackers recover the real address behind an alias, with no fix shipped.",
  "suggestedSection": "security",
  "suggestedTags": ["apple", "icloud", "privacy"],
  "imagePrompt": "An abstract composition of translucent envelopes suspended in dim space, one envelope slightly torn to reveal a faint inner layer, soft shadows stretching across a matte surface. muted color palette, cinematic lighting, 16:9"
}

No comments yet