A flaw in Apple’s Hide My Email service could allow almost anyone to discover the real email address behind a generated alias, and Apple has failed to fix it in more than a year since it was first reported.
404 Media is withholding technical details of the vulnerability because it remains exploitable, but the publication verified the issue this week using one of its own Hide My Email addresses. In tests carried out with volunteers by the researcher who discovered the flaw, 100% of Hide My Email addresses were found to be exploitable.
Tyler Murphy, co-founder of EasyOptOuts, discovered the issue and responsibly reported it to Apple in June 2025, along with instructions to reproduce it. Apple acknowledged the report a month later and said it was investigating. Murphy said:
Apple Hide My Email discloses email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don’t know why the issue hasn’t been resolved, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it is possible for attackers to discover their hidden email addresses.
Free, publicly available people search sites make it easy to link an email address to other personal information, so people who rely on Hide My Email for security may be at risk.
In March 2026, Apple told Murphy that it had “fixed the issue reported in a recent system change”, but Murphy discovered that the flaw had not in fact been fixed. He provided additional information and Apple responded again saying it was still investigating.
In May, Apple once again said the matter was still under investigation and asked Murphy not to publicly disclose it until the investigation was complete. Murphy suggested that Apple pause the creation of new Hide My Email addresses as an interim measure to limit risk to customers, but there is no indication that this suggestion has been implemented. In late May, Apple said it planned to address the issue in a security update “expected in the coming weeks.”
Hide My Email is an iCloud+ feature that allows users to generate random alias email addresses, primarily for use when registering for services or corresponding with third parties. It is designed to protect a user’s real email address from spam, data breaches, and unwanted identification.
Murphy noted that many people search databases are available for free online and can link an email address to a person’s other personal information, meaning that anyone relying on Hide My Email for their security may be more at risk than they think. Last month it emerged that Apple’s decision to move Hide My Email to a dedicated domain “private.icloud.com” appears to be making it easier for platforms to block iCloud aliases.
