A critical privacy flaw in Apple’s Hide My Email feature exposes users’ real email addresses to potential attackers. The vulnerability has existed for over a year despite Apple’s repeated promises to fix it, raising serious questions about the company’s security response procedures.
Hide My Email is a privacy feature available to iCloud+ subscribers that allows users to generate random email aliases when signing up for online services. Instead of providing their real email address, users receive generated addresses like random.email.22@icloud.com, that forward messages to their actual inbox. The feature is designed to reduce spam, prevent data brokers from tracking users across services, and compartmentalize online identities. Apple has marketed the feature as a core privacy protection for paying iCloud+ subscribers.
The vulnerability was discovered by Tyler Murphy, co-founder of EasyOptOuts, a data removal service. Murphy reported the flaw to Apple in June 2025, providing the company with complete reproduction instructions. The issue allows attackers with basic technical knowledge to reverse engineer Hide My Email addresses and discover the real email accounts they are associated with.
“We don’t know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” Murphy told media. “… publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk.”
Independent verification by 404 Media confirmed the flaw remains active and exploitable. 404 Media created a test Hide My Email address and provided it to Murphy, who successfully identified the underlying real email address within minutes. In volunteer testing across multiple Hide My Email addresses, Murphy found a 100 percent exploitation rate. No Hide My Email address in the test cohort resisted the attack.
Apple’s response timeline reveals concerning gaps in its vulnerability management. One month after Murphy’s June 2025 report, Apple acknowledged the disclosure and said it was investigating. In March 2026, Apple claimed the issue had been addressed in a recent system change. Murphy tested the supposed fix and found the vulnerability remained fully functional. Murphy submitted additional information in May 2026. Apple responded that it was still investigating and asked Murphy not to disclose publicly until the inquiry was complete.
Murphy suggested Apple suspend creation of new Hide My Email addresses as an interim measure to limit customer risk, however, there is no indication of implementation of such suggestion. By late May 2026, Apple said it expected to address the issue in a security update expected in the coming weeks. By June 30, 2026, both Murphy and 404 Media confirmed the vulnerability persisted. Apple has not publicly acknowledged or responded to the current disclosure.
In the tech world, finding reliable privacy tools can feel like searching for a needle in a haystack. And even when you do find them, they don’t always deliver as promised. Apple has faced its fair share of criticism for this kind of issue in the past.
The flaw arrives as Apple plans significant changes to Hide My Email. In mid-June 2026, Apple announced plans to consolidate Hide My Email and Sign in with Apple relay addresses under the @private.icloud.com domain.
This change would allow websites and services to identify and block email addresses generated by Apple’s privacy feature, further reducing protection for users who rely on Hide My Email for anonymity.
