Several outlets report that Apple’s Hide My Email iCloud+ feature does not reliably conceal users’ real email addresses due to a privacy vulnerability. The issue was identified by researcher Tyler Murphy of EasyOptOuts, who says he reported it to Apple in June 2025 with steps to reproduce. According to Murphy, Apple acknowledged the report a month later and said it was investigating, and the vulnerability has allegedly remained unpatched for more than a year. 404 Media and MacRumors both state that 404 Media verified the problem using its own Hide My Email address, with the researcher and volunteers reporting that generated aliases were exploitable. One account says tests found 100% of Hide My Email addresses in limited trials could be used to reveal the real email linked to the Apple account. Apple reportedly told Murphy in March 2026 that the issue had been addressed in a system change, but Murphy says he later found the flaw persisted, and Apple continued investigating. Apple also indicated it expected to address the issue in a security update “in the coming weeks” as of late May. Outlets also note Hide My Email aliases are routed to a user’s main iCloud account while the alias identity is meant to be hidden.