Apple has long positioned Hide My Email as one of the defining privacy features of its iCloud+ subscription. The premise is straightforward: generate a random email alias, share that instead of your real address, and let Apple silently forward messages to your inbox without revealing your identity. However, new findings suggest that promise is not holding up.Security researcher Tyler Murphy, co-founder of data removal service EasyOptOuts, says he discovered a vulnerability that allows someone who possesses a Hide My Email alias to determine the real email address behind it. Murphy disclosed the issue responsibly to Apple in June 2025, but more than a year later the flaw remains unpatched, according to his latest testing and independent verification by 404 Media.Even more concerning is Apple's handling of the disclosure. According to correspondence shared by Murphy, Apple acknowledged the issue, twice stated that it had been fixed, and later accepted that the vulnerability still existed. As recently as July 1, 2026, 404 Media generated a fresh Hide My Email alias and asked Murphy to test it. Within minutes, he successfully identified the underlying email address.Key Takeaways:A flaw in Apple's Hide My Email feature can reveal a user's real email address.The issue was discovered by Tyler Murphy, co-founder of EasyOptOuts.Apple was first notified on June 11, 2025.404 Media independently verified the vulnerability using a newly generated alias.Murphy says every Hide My Email address tested by his team was vulnerable.Apple has repeatedly indicated the issue would be fixed, but researchers say it remains exploitable as of July 1, 2026. What is the Hide My Email vulnerability?Hide My Email is designed to let iCloud+ subscribers create disposable email aliases instead of sharing their personal inbox when signing up for apps, websites or newsletters.Normally, messages sent to these aliases are forwarded to the user's real inbox while the destination email address remains hidden from third parties.Murphy says he found a method that effectively reverses this process. Instead of protecting the destination email, the vulnerability allows someone who already has a Hide My Email alias to work backwards and discover the real address receiving those emails.Neither Murphy nor 404 Media has publicly disclosed the technical details because the flaw is still active, limiting the immediate risk of widespread abuse while allowing Apple additional time to address the issue.Apple's response: more than a year of back and forth. The disclosure timeline illustrates why the issue has attracted attention within the security community.June 11, 2025: Murphy privately reports the vulnerability to Apple, including proof of concept and mitigation suggestions.July 14, 2025: Apple acknowledges the report and confirms the behaviour is not intentional.March 3, 2026: Apple tells Murphy the issue has been fixed.March 19, 2026: Murphy retests the vulnerability and finds it still works.May 22, 2026: Murphy informs Apple that the issue appears broader than initially understood.Late May 2026: Apple asks Murphy not to disclose the vulnerability publicly, saying a fix is expected "in the coming weeks".June 30, 2026: Apple again says the issue has been resolved.July 1, 2026: Murphy and 404 Media verify that the vulnerability remains exploitable before publicly disclosing its existence. That timeline matters because it shows this was not an immediately public disclosure. Murphy followed responsible disclosure practices for more than a year before deciding users deserved to know about the unresolved risk.Why this is more serious than an ordinary email leakAt first glance, exposing an email address may not sound particularly alarming. In practice, the consequences can extend much further.Many users rely on Hide My Email when interacting with unfamiliar websites, online marketplaces, developers, journalists or individuals they would rather not reveal their identity to. For some people—including activists, domestic abuse survivors, whistleblowers and public-facing professionals—the feature serves as an additional layer of personal security rather than merely a spam filter.Once a real email address becomes known, it can often be linked to names, social media accounts, phone numbers and even residential addresses through publicly accessible people-search services and data broker databases. Murphy argues this substantially increases the privacy risk for users who depend on Hide My Email for anonymity.Another privacy concern is emergingThe vulnerability arrives as Apple prepares another significant change to the feature. The company has announced plans to consolidate Hide My Email addresses and Sign in with Apple relay addresses under the new @private. icloud. com domain. While the change is intended to simplify Apple's private email infrastructure, privacy advocates have warned it could also make anonymous addresses easier for websites to identify and reject outright. Instead of blending in with broader iCloud domains, the new dedicated domain could allow services to block privacy aliases using a simple domain filter.Although this change is unrelated to the vulnerability itself, critics argue it arrives at an awkward time, with Apple's flagship email privacy feature already under scrutiny.Should Hide My Email users be worried?The exploit details remain undisclosed, which limits the likelihood of widespread abuse.However, researchers caution that users who depend on Hide My Email for personal safety or anonymity should recognise that the feature may not currently provide the protection they expect.Apple has not issued a public advisory or confirmed when a verified fix will become available. Until then, users handling particularly sensitive communications may want to reassess situations where revealing their underlying email address could create personal or professional risk.FAQsWhat is Apple's Hide My Email?Hide My Email is an iCloud+ feature that generates random email aliases which forward messages to your primary inbox while concealing your real email address from apps and websites.What is the vulnerability?Researchers say someone who knows your Hide My Email alias can determine the real email address associated with it. Technical details have not been published because the issue remains unresolved.Has Apple fixed the problem?No verified fix has been confirmed publicly. Although Apple informed Murphy multiple times that the vulnerability had been addressed, subsequent testing by Murphy and 404 Media found it remained exploitable as of July 1, 2026.Should users stop using Hide My Email?Apple has not advised users to stop using the feature. However, anyone relying on it for anonymity or personal safety should be aware that its core privacy protection may not currently function as intended until Apple releases and verifies a complete fix.end of article
Apple's Hide My Email privacy flaw exposes real email addresses; Apple still hasn't fixed it after a year
A critical flaw in Apple's Hide My Email feature, discovered by researcher Tyler Murphy, allows individuals to uncover a user's real email address from a generated alias. Despite responsible disclosure in June 2025 and repeated assurances from Apple that the issue was fixed, independent verification in July 2026 confirmed the vulnerability persists, raising significant privacy concerns for users relying on the service for anonymity.










