Apple Hide My Email Vulnerability Exposes Real Email Addresses - MacRumorsOpen MenuShow RoundupsShow Forums menuVisit ForumsOpen Sidebar
Skip to Content

Apple Hide My Email Vulnerability Exposes Real Email Addresses

A flaw in Apple's Hide My Email service can reportedly allow almost anyone to uncover the real email address behind a generated alias, and Apple has failed to address it for more than a year since it was first reported.

General macOS Mail Feature
404 Media is withholding the technical specifics of the vulnerability because it remains exploitable, but the publication verified the issue this week using one of its own Hide My Email addresses. In tests with volunteers by the researcher who discovered the flaw, 100% of Hide My Email addresses were found to be exploitable.

Tyler Murphy, co-founder of EasyOptOuts, discovered the issue and responsibly reported it to Apple in June 2025, along with instructions to replicate it. Apple acknowledged the report a month later and said it was investigating. Murphy said:

Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.

Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk.

In March 2026, Apple told Murphy it had "addressed the reported issue in a recent system change," but Murphy found the flaw had not in fact been closed. He provided further information, and Apple replied again to say it was still investigating.

In May, Apple once more said the issue remained under investigation and asked Murphy not to disclose it publicly until the inquiry was complete. Murphy proposed that Apple suspend the creation of new Hide My Email addresses as an interim measure to limit customer risk, but there is no indication that suggestion was acted on. By the end of May, Apple said it expected to address the issue in a security update "expected in the coming weeks."

Hide My Email is an iCloud+ feature that lets users generate random alias email addresses, primarily for use when signing up to services or corresponding with third parties. It is designed to protect a user's real email address from spam, data breaches, and unwanted identification.

Murphy noted that numerous people-search databases are freely available online and can tie an email address to a person's other personal details, meaning anyone depending on Hide My Email for their safety may be more exposed than they realize. Last month, it emerged that Apple's decision to move Hide My Email to a dedicated "private.icloud.com" domain appears to have the consequence of making it easier for platforms that want to block ‌iCloud‌ aliases to do so.

Popular Stories

iCloud iPhone 17 Pro

iPhone Users Who Pay for iCloud Storage Get Two New Perks on iOS 27

Thursday July 2, 2026 6:10 am PDT by
If you pay for certain iCloud+ storage plans beyond the 5GB that Apple offers for free, you will receive two more perks on iOS 27 at no additional cost. A summary of the two new iCloud+ perks on iOS 27:Increased daily usage limits for some new Apple Intelligence features, including image generation in the revamped Image Playground app. HomeKit Secure Video cameras receive generated video...
American Express Gold Apple Pay Feature

American Express Announces New Apple Pay Feature

Tuesday June 30, 2026 10:27 am PDT by
American Express today announced that you can now redeem Membership Rewards points when checking out with Apple Pay on the web and in apps on the iPhone and iPad. When checking out with Apple Pay on iOS 18 or iPadOS 18 or later, tap on your eligible American Express card (Platinum, Gold, Green, and others) and select the Membership Rewards points option. You can use points to cover all or...
series 10 apple watch titanium digital crown

Report: Apple Watch Redesign Coming Next Year With New Band System

Tuesday June 30, 2026 8:45 am PDT by
A "major overhaul" of the Apple Watch's design is due to arrive next year with a new system for connecting bands, according to a known Weibo leaker. In a set of recent posts, the leaker known as "Instant Digital" linked the new claim to older rumors about an "Apple Watch X" model, which was said to introduce a fresh design and break compatibility with the existing watch band system. Citing...

Top Rated Comments

match14 Avatar
2 days ago at 06:25 am
You’re hiding it wrong!
Score: 41 Votes (Like | Disagree)
dysamoria Avatar
2 days ago at 06:34 am
“We don't know why it hasn't been fixed…”

It hasn’t been fixed because Apple don’t fix bugs.

There are countless text editing/entry bugs in iOS/iPadOS that appeared during iOS 18 and were never fixed to this day.

I’m also still suffering corrupt iMessage conversations on iPhone when the addressee has both iMessage on a Mac and RCS on a droid phone, mixed back & forth in a conversation (I can’t send iMessages to ONE person, only, on my iPhone, but it works on all other devices, and the same recipient CAN get iMessages from me in a shared/group conversation on my iPhone). This started in iOS 18, still not fixed. Deleting and creating a new conversation used to correct it in iOS 18 but not in iOS 26. When it fails to send from iPhone, it fails entirely SILENTLY, with no error messages.

I could list countless bugs they’ve never fixed across major OS revisions. Apple don’t care. All they want to do is push people to buy the same devices over and over, by throwing “new features” at us that show up broken and never get fixed, and subscribe to services, like this “service” being shown as broken in this article.
Score: 28 Votes (Like | Disagree)
pigeonguy Avatar
2 days ago at 06:38 am
Has MacRumors reached out to Apple for comment? They have some explaining to do.
Score: 26 Votes (Like | Disagree)
jdavid_rp Avatar
2 days ago at 06:38 am
So a feature used to justify the walled garden of iCloud and its upselling tiers (from 200Gb to 2Tb, really no chance for an in-between?) not really private? Can we know for sure private relay is private then?
Score: 23 Votes (Like | Disagree)
Mr_Ed Avatar
2 days ago at 07:06 am
This is the kind of thing that seriously undermines any claim that Apple is the “privacy” choice for consumers.
I use “Hide my Email” regularly, so learning about this is really maddening. Apple management obviously doesn’t see it as a serious issue if they allowed it to linger this long. How big of a chunk of salt are expected to bring along when we listen to their ads, like the ones running currently regarding Safari and trackers, for example?
Score: 22 Votes (Like | Disagree)
daabido Avatar
2 days ago at 06:52 am
Class action so I can get 10 cents in 10 years?
Score: 15 Votes (Like | Disagree)