Several outlets report that Apple’s Hide My Email iCloud+ feature does not reliably conceal users’ real email addresses due to a privacy vulnerability. The issue was identified by researcher Tyler Murphy of EasyOptOuts, who says he reported it to Apple in June 2025 with steps to reproduce. According to Murphy, Apple acknowledged the report a month later and said it was investigating, and the vulnerability has allegedly remained unpatched for more than a year. 404 Media and MacRumors both state that 404 Media verified the problem using its own Hide My Email address, with the researcher and volunteers reporting that generated aliases were exploitable. One account says tests found 100% of Hide My Email addresses in limited trials could be used to reveal the real email linked to the Apple account. Apple reportedly told Murphy in March 2026 that the issue had been addressed in a system change, but Murphy says he later found the flaw persisted, and Apple continued investigating. Apple also indicated it expected to address the issue in a security update “in the coming weeks” as of late May. Outlets also note Hide My Email aliases are routed to a user’s main iCloud account while the alias identity is meant to be hidden.
Reports say Apple’s Hide My Email flaw can expose real user addresses
Several outlets report that Apple’s Hide My Email iCloud+ feature does not reliably conceal users’ real email addresses due to a privacy vulnerability. The issue was identified by researcher Tyler Mur...
- Tyler Murphy reports discovering and submitting a vulnerability affecting Apple’s Hide My Email in June 2025, with replication instructions.
- Multiple outlets report testing that allegedly allowed real email addresses behind Hide My Email aliases to be uncovered.
- 404 Media says it verified the vulnerability using one of its own Hide My Email addresses; it reports a 100% success rate in limited volunteer tests.
- Apple acknowledged the report, investigated for an extended period, and later told Murphy it had addressed the issue in a system change; Murphy says the flaw was not fully closed.
- Apple’s Hide My Email is an iCloud+ feature that generates alias addresses intended to keep a user’s real email hidden while still routing messages to the user’s iCloud account.
Macworld A new report by 404 Media states that Apple’s Hide My Email feature contains a vulnerability that can be used to reveal the true email address behind the one that Apple generates for you. The vulnerability, which was found by Tyler Murphy, was reported to Apple last year, and has yet to be fixed. 404 Media did not disclose how the vulnerability can be used, but it did perform its own testing and verified that the actual email address behind one created with Hide My Email was uncovered. Standard practice in the security community is not to disclose any findings until after the vulnerabilities have been fixed, but since it’s been a year, Murphy went public in an effort to pressure Apple to address the problem. A month after he made his initial report to Apple, Murphy was told that an update had provided a fix. But Murphy was able to expose the vulnerability after the supposed patch and provided Apple with more details. Last May, Murphy was told that Apple was still investigating the issue. Hide My Email is a feature of iCloud+ that allows users to create and use an anonymous email address when signing up for online accounts. It’s a popular feature because it allows users not to use their actual email address and maintain an amount of privacy. “If you choose the Hide My Email option, only the app or website you created the account with can use this unique email address to communicate with you,” according to an Apple support document. Emails are still routed to your main iCloud account, but the identity is meant to be hidden. While the vulnerability hasn’t been publicly defined, users should be wary of the effectiveness of Hide My Email. You could continue using it, but know that it might not be completely private. If you’re not convinced Hide My Email is doing its job, you can alternatively create a separate email account at a free online email service such as Gmail or Yahoo for the specific purpose of non-critical logins, and use it until Apple addresses the issue. Perhaps related, Apple announced a recent change to Hide My Email, where the email address created uses @private.icloud.com instead. That’s different from @icloud.com and could allow services to filter the two domains and reject @private.icloud.com from being accepted when an email address is demanded. Apple said the change is coming later this summer.
1 hour agoJoseph Cox, reporting for 404 Media: 404 Media is not revealing the exact details of the vulnerability because it can still be exploited as of Monday, when 404 Media verified the issue with one of our own hidden email addresses. “Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” Tyler Murphy, the co-founder of EasyOptOuts, which discovered and reported the issue to Apple, told 404 Media. [...] To test the issue I generated a new Hide My Email address and provided it to Murphy. Around five minutes later, he replied with my real email address linked to my Apple account which was supposed to be hidden. “We don’t know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” Murphy said. Not good. Especially the “We reported the issue and replication instructions to Apple over a year ago” part. (Is this possibly related to the WWDC news that Apple is merging the domain names used for Sign In With Apple and Hide My Email? I can’t see why, but who knows?) ★
2 hours agoA privacy flaw in Apple’s Hide My Email feature means that your real email address can be discovered. A security researcher said that tests found 100% of generated addresses allowed an attacker to reveal the real email associated with the Apple account. Tyler Murphy said that he discovered and reported the issue to Apple more than a year ago, but it still hasn’t been fixed, and he has now made the decision to go public …
3 hours agoA flaw in Apple's Hide My Email service can reportedly allow almost anyone to uncover the real email address behind a generated alias, and Apple has failed to address it for more than a year since it was first reported. 404 Media is withholding the technical specifics of the vulnerability because it remains exploitable, but the publication verified the issue this week using one of its own Hide My Email addresses. In tests with volunteers by the researcher who discovered the flaw, 100% of Hide My Email addresses were found to be exploitable. Tyler Murphy, co-founder of EasyOptOuts, discovered the issue and responsibly reported it to Apple in June 2025, along with instructions to replicate it. Apple acknowledged the report a month later and said it was investigating. Murphy said: Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses. Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk. In March 2026, Apple told Murphy it had "addressed the reported issue in a recent system change," but Murphy found the flaw had not in fact been closed. He provided further information, and Apple replied again to say it was still investigating. In May, Apple once more said the issue remained under investigation and asked Murphy not to disclose it publicly until the inquiry was complete. Murphy proposed that Apple suspend the creation of new Hide My Email addresses as an interim measure to limit customer risk, but there is no indication that suggestion was acted on. By the end of May, Apple said it expected to address the issue in a security update "expected in the coming weeks." Hide My Email is an iCloud+ feature that lets users generate random alias email addresses, primarily for use when signing up to services or corresponding with third parties. It is designed to protect a user's real email address from spam, data breaches, and unwanted identification. Murphy noted that numerous people-search databases are freely available online and can tie an email address to a person's other personal details, meaning anyone depending on Hide My Email for their safety may be more exposed than they realize. Last month, it emerged that Apple's decision to move Hide My Email to a dedicated "private.icloud.com" domain appears to have the consequence of making it easier for platforms that want to block iCloud aliases to do so.Tag: Apple MailThis article, "Apple Hide My Email Vulnerability Exposes Real Email Addresses" first appeared on MacRumors.comDiscuss this article in our forums
3 hours agoTogether AI raises $800 million, valued at $8.3 billion
Together AI, an artificial intelligence startup, raises $800 million in new funding at an $8.3 billion valuation, accord...
Amazon discounts Apple 13-inch M5 iPad Pro by about $300
Multiple outlets report that Amazon is selling Apple’s 13-inch iPad Pro with the M5 chip at a discounted price of $1,199...
GM’s U.S. Q2 sales decline 4.2% as EV demand drops
General Motors reports that its U.S. sales fall in the second quarter, declining 4.2% year over year as demand for key s...