Apple Hide My Email Vulnerability Exposes Real Email Addresses

The feature you pay Apple to keep your address secret has been handing it out for more than a year, and the company keeps insisting it’s almost fixed.
Apple sells Hide My Email as a shield. You switch the feature on and iCloud+ hands you a random alias, so the companies you deal with never see the address tied to your real identity.
But a security researcher says that shield has a hole in it, one Apple has left open for more than a year.
Tyler Murphy, co-founder of the data-removal service EasyOptOuts, found a way to take a Hide My Email alias and work backward to the genuine address it conceals.
He reported it to Apple in June 2025 and handed over instructions showing exactly how to reproduce it. Twelve months on, the flaw still works. 404 Media confirmed as much this week, unmasking one of its own hidden addresses.
Murphy’s testing suggests the problem runs deep. “We don’t know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” he told 404 Media. All the aliases his team probed gave up the real address behind them.
That figure guts the whole premise of the feature. People reach for Hide My Email precisely when they want distance between themselves and a service they don’t fully trust, whether that’s a shopping site, a newsletter, or a stranger on a marketplace. If you take away the alias, you take away the reason to use it.
Murphy points to the wider machinery that turns one data point into a full profile. He warns that “publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk.” His company exists to scrub exactly that kind of information off broker sites, so the stakes are familiar to him. An address that leads to a name, a home, or a phone number is raw material for harassment, stalking, and fraud.
Apple’s response seems like a year of stalling. The company told Murphy it was looking into the report a month after he filed it. By March 2026 it claimed it had “addressed the reported issue in a recent system change.”
Murphy checked, and it hadn’t. He sent more detail, and Apple went back to running checks. By May the company was still telling him it was “still investigating,” while asking him to keep the flaw quiet until it finished.
Murphy offered Apple a way to protect users in the meantime. He suggested the company pause sales of Hide My Email until a real fix shipped, shrinking the pool of exposed accounts. Apple kept selling it. At the end of May, it said a fix would arrive in a security update “expected in the coming weeks.” Those weeks have passed. 404 Media contacted Apple repeatedly and got nothing back.
Murphy decided he had waited long enough. “Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” he said. He has kept the technical details private, so the flaw isn’t handed to the next opportunist.
A separate change to the service is landing around the same time, and it chips away at another safeguard. Apple told developers on June 15 that Hide My Email aliases will move to a new domain, private.icloud.com, replacing the iCloud.com addresses that blended in with ordinary mail.
Sign in with Apple relay addresses are shifting to the same domain. That old ambiguity was a feature. A message from an iCloud.com address could have come from almost anyone, which is what made the disguise work. A private.icloud.com address announces itself, and nothing stops a website or newsletter from blocking the domain outright and forcing you to hand over a real account.
Until Apple ships the fix it keeps promising, the safest assumption is that a Hide My Email alias hides less than you think.