Researcher Claims Apple's Hide My Email Bug Exposed Users' Real Email Addresses

Apple 5-8 min read
Researcher Claims Apple's Hide My Email Bug Exposed Users' Real Email Addresses

Researcher Claims Apple's Hide My Email Bug Exposed Users' Real Email Addresses

Apple's Hide My Email is one of the more practically useful privacy features the company has introduced in recent years, letting iCloud+ subscribers generate random alias addresses so they can sign up for apps, newsletters, and websites without ever handing over their real inbox. The idea is straightforward: the alias forwards incoming mail while keeping the actual Apple ID email address invisible to whoever receives it. For users trying to avoid spam, reduce data broker exposure, or simply limit how widely their personal email circulates, the feature has been a genuine addition to Apple's privacy toolkit.

What security researcher Tyler Murphy discovered, and what he reported to Apple in June 2025, is that the protection the feature appears to provide may be illusory. A vulnerability in the Hide My Email implementation allows an attacker to reverse the alias and recover the real email address associated with the underlying iCloud account. In limited tests with volunteers, every single Hide My Email address Murphy tried was exploitable. Apple has known about this for over a year. As of this week, the bug remained unfixed, prompting Murphy and his co-founder to go public with the disclosure rather than continue waiting.

A security researcher claims a bug in Apple's Hide My Email feature may have exposed some users' real email addresses, raising fresh concerns about privacy and data protection.
A security researcher claims a bug in Apple's Hide My Email feature may have exposed some users' real email addresses, raising fresh concerns about privacy and data protection. This article examines the reported vulnerability, its potential impact, and how Apple has responded to the claims.

What the Researcher Actually Found

Tyler Murphy is the co-founder of EasyOptOuts, a privacy-focused data removal service. He and his co-founder Ben discovered the Hide My Email vulnerability and reported it to Apple on June 11, 2025, along with instructions on how to replicate it. The flaw allows an attacker who has access to a Hide My Email alias to recover the real email address behind it, completely bypassing the privacy protection the feature is designed to provide.

The vulnerability was reported by 404 Media, which tested and independently verified that it still exists. The outlet's journalist Joseph Cox generated a fresh Hide My Email address and gave it to Murphy. Within minutes, Murphy returned with Cox's real inbox address. That demonstration went beyond a theoretical claim and established that the exploit works reliably and quickly in practice, not just under specific laboratory conditions that would be difficult to replicate in the real world.

Murphy's own characterization of how thorough the exploitation rate has been is stark. In tests run with volunteers, the researchers found the exploit worked on 100 percent of the aliases they tried. There is no qualifying language about partial success or specific conditions required. Every Hide My Email address tested was reversible. Murphy was direct about why he decided to go public despite Apple asking him not to: "Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses."

"We don't know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable."
- Tyler Murphy, co-founder of EasyOptOuts, July 2026

What Hide My Email Is Supposed to Do

Hide My Email is an iCloud+ feature, meaning it is available to subscribers who pay for additional iCloud storage rather than being part of the free tier. When a user signs up for an app, website, or service and uses Hide My Email, Apple generates a random alias address, typically a combination of two words followed by a number, ending in a domain like @icloud.com or @privaterelay.appleid.com. Mail sent to that alias is forwarded to the user's real inbox, but the sender only ever sees the alias. The actual Apple ID email address remains invisible to whoever receives the message.

The practical applications are broad. Someone signing up for a shopping site they plan to use once does not have to give that retailer their real email and risk it being sold to data brokers or exposed in a future breach. A person joining a forum or community they are unsure about can use an alias and delete it later if they start receiving unwanted contact. For users who share their email address with many different services over time, Hide My Email creates a layer of separation between their online activity and their identity that allows them to segment their digital footprint. The feature is particularly valuable for people who have safety concerns, whether that means avoiding an abusive contact, reducing the surface area for phishing attacks, or simply preventing the steady accumulation of targeted advertising profiles that follows an email address around the internet.

All of that protection depends on one thing being true: that the alias cannot be traced back to the real address. The vulnerability Murphy found means that assumption has been false for at least as long as he has been aware of the bug, and potentially longer if the underlying flaw predates his discovery in 2025.

Apple's Response Timeline: A Year of Incomplete Fixes

The timeline of how Apple responded to Murphy's disclosure is one of the most concerning aspects of this story, and it is worth walking through in detail because the sequence of events is not a simple case of a company ignoring a researcher. It is a more complicated picture of a company that acknowledged the problem, claimed to have fixed it, turned out not to have fixed it, and then continued to investigate over the following months while asking the researcher to wait.

  • June 11, 2025: Murphy and co-founder Ben report the vulnerability to Apple with full replication instructions
  • July 2025: Apple acknowledges receipt of the report and says it is investigating
  • March 2026: Apple tells Murphy the issue has been addressed in a recent system change
  • March 2026 (shortly after): Murphy tests again and finds the vulnerability is still exploitable, providing Apple with additional information
  • April and May 2026: Apple describes additional checks being implemented and promises a fix in a security update expected in the coming weeks
  • May 2026: Apple asks Murphy not to disclose the vulnerability publicly until the investigation is complete
  • May 2026: Murphy proposes that Apple suspend the creation of new Hide My Email addresses as an interim protective measure; no indication this was acted upon
  • Late May 2026: Apple says a fix is expected in a security update in the coming weeks
  • July 1, 2026: Murphy goes public after more than thirteen months with no functional fix in place

The most troubling entry in that timeline is March 2026. Apple told Murphy the issue had been addressed in a recent system change. Murphy tested the fix and found it did not work. Apple then continued investigating for at least another two months before the coming weeks promise was made at the end of May. As of the public disclosure on July 1, the fix that was coming in the coming weeks from late May had not yet arrived. The total elapsed time from disclosure to public reporting is thirteen months, and the bug remained exploitable throughout.

Why the Absence of Known Exploitation Provides Limited Comfort

404 Media and the coverage outlets that followed the story have been careful to note that there is currently no evidence of widespread abuse of this vulnerability in the wild. That is an important fact, and it distinguishes the situation from a breach in which actual user data is known to have been harvested and misused at scale. But the absence of known exploitation should not be confused with a finding that no exploitation has occurred, and it provides considerably less reassurance than it might appear to for several reasons.

The technical mechanics of the exploit have not been publicly disclosed, precisely to prevent the information from spreading to actors who do not already know it. If the vulnerability requires specific knowledge that has not circulated broadly, the population of people who could have exploited it is limited to those who independently discovered it or to whom the method was communicated through non-public channels. That is a smaller set than the total threat landscape, but it is not an empty set, and there is no way to verify retrospectively whether the attack has been used quietly.

The real-world harm potential of a reversed Hide My Email alias is also not limited to the email address itself. Security experts and coverage of the story have highlighted that once a real email address is exposed, it can be cross-referenced with public data brokers and people-search sites, revealing names, home addresses, and phone numbers. The email address is a key that unlocks significantly more personal information that data brokers have already aggregated from other sources, which means the harm radius of each exploited alias extends well beyond the email address alone.

The Users With the Most to Lose

Hide My Email's general user population includes a broad range of people with varying levels of privacy concern, from casual users who simply dislike spam to people with more serious reasons for separating their online activity from their identity. It is the latter group for whom this vulnerability carries the most serious implications.

For the subset of users who rely on the feature specifically because they are avoiding a stalker, an abusive ex-partner, or unwanted contact, an exposed alias is not an inconvenience. Hide My Email exists specifically so a person can hand out an address to an app, a dating site, a customer service form, or a stranger without linking that interaction back to their real identity. Once the alias is reversed, that protection collapses in the other direction too. A person who used a Hide My Email alias specifically to keep their real address private from someone whose contact they were avoiding now potentially has their real address, and through data brokers, potentially their home address and phone number, accessible to whoever exploited the vulnerability.

Murphy's suggestion that Apple suspend the creation of new Hide My Email addresses as an interim protective measure was a direct acknowledgment of this risk. If the feature cannot currently provide the privacy it promises, the responsible interim position would be to stop extending false assurance to new users. The absence of any indication that Apple acted on this suggestion means that during the months between May 2026 and the public disclosure, new iCloud+ subscribers who turned on Hide My Email were doing so in the belief that their aliases were private when they were not.

A Pattern: This Is Not the First Apple Privacy Feature to Fall Short

Apple has built a substantial part of its consumer brand identity around the claim that its products and services protect user privacy in ways that competitors do not. That branding has been commercially valuable and has meaningfully differentiated Apple from the advertising-driven business models of Google and Meta, whose data collection practices have attracted both regulatory scrutiny and public skepticism. The Hide My Email vulnerability does not invalidate that broader positioning, but it fits into a pattern of specific privacy features that have turned out to work less reliably than Apple's marketing implied.

The closest parallel is a 2023 finding in which researchers found that a tool meant to anonymize mobile users' Wi-Fi connections by providing randomized MAC addresses, a hardware identifier that can be used to track devices across networks, was simply exposing the user's real MAC address instead. The feature existed, it was described as providing privacy protection, and it turned out not to function as described. The Hide My Email situation follows the same structure: feature exists, feature is marketed as providing a specific privacy protection, feature turns out not to provide that protection due to an implementation flaw.

There is a meaningful difference between the two cases. The MAC address randomization issue was a design or implementation failure that was apparently not discovered through active external attack. The Hide My Email vulnerability, as described, is actively exploitable by someone who has a user's alias address and wants to recover the real address behind it, which is a more adversarially relevant threat model. It is not merely a passive leak; it is a reversible mapping that an attacker can use on demand.

A Separate Change That Compounds the Concern

The vulnerability disclosure lands at a moment when Hide My Email is already under scrutiny for a separate change Apple announced in mid-June 2026. Apple said it would consolidate Hide My Email and Sign in with Apple relay addresses under a single @private.icloud.com domain. The stated purpose of the change is to streamline operations, but critics noted quickly that moving all alias addresses to a single, easily identifiable domain makes it straightforward for websites and services to detect that an email address is an Apple privacy alias and block it, potentially requiring users to provide a real address to register or complete a transaction.

The domain consolidation issue and the vulnerability are technically separate problems, but together they create a picture of Hide My Email under pressure from two directions simultaneously. The vulnerability undermines the feature's core privacy promise at the implementation level. The domain consolidation change risks undermining the feature's practical usability at the policy level, as more services develop rules to block the @private.icloud.com domain the same way they have previously blocked temp-mail services and other anonymous email tools.

What Apple Needs to Do and When

Apple has not publicly responded to the disclosure or to the most recent wave of media inquiries from 404 Media about the vulnerability's status. The company's internal timeline, in which a coming weeks fix was promised from late May, would place that fix within the July timeframe if the promise was genuine when made. Whether that fix arrives as an emergency security update or as part of a regularly scheduled security patch cycle will itself be a signal about how seriously Apple is treating the disclosure now that it is public.

The most immediate action that would limit ongoing user risk, aside from a complete fix, would be transparency about the current state of the feature. Users who relied on Hide My Email for safety-critical privacy reasons deserve to know that the protection it appeared to offer has been compromised, so they can make informed decisions about whether to continue using it, whether to change their real email address, and whether to take other protective steps while the fix is being implemented. Apple's policy of asking Murphy to stay quiet was understandable from a responsible disclosure standpoint in the early months, but the thirteen-month timeline without a functional fix makes that request increasingly difficult to justify in retrospect.

The broader question this situation raises is about Apple's privacy feature development and testing process. A feature marketed as providing a specific and consequential privacy protection should presumably be tested against the exact attack scenario it is designed to prevent before being shipped to iCloud+ subscribers. How the Hide My Email alias reversal vulnerability existed long enough for an external researcher to discover it, report it with full replication instructions, watch Apple claim to fix it, verify it was not fixed, and then wait another four months before disclosure, while the feature continued operating as though it worked, is a question Apple's engineering leadership will need to answer more specifically than any public statement has addressed so far.

What Affected Users Should Consider Right Now

For iCloud+ subscribers who use Hide My Email, the practical guidance available at this point is limited because the technical specifics of the vulnerability have not been publicly disclosed, making it impossible to assess exactly which usage scenarios carry more or less risk. But there are several precautionary steps worth considering while Apple's fix is pending.

  • For any service or person where the privacy of your real email address is critically important, consider whether using a different privacy method with a fully independent email provider rather than a Hide My Email alias offers better current assurance
  • Users who rely on Hide My Email specifically for safety reasons, such as avoiding unwanted contact from specific individuals, should consult additional resources and consider whether their current protective arrangements need to be supplemented while the vulnerability is unresolved
  • Monitor Apple's security update releases, as the company indicated a fix was expected in the coming weeks from late May; a security update that specifically addresses Hide My Email would be the most reliable signal that the issue is resolved
  • Be cautious about assuming the feature is working as intended until Apple makes an explicit public confirmation that the vulnerability has been closed

Apple's privacy branding has been one of the company's most durable commercial assets, and the company's track record on privacy issues, while imperfect, is meaningfully better than most of its large technology company peers. But that track record depends on the features that carry the privacy promise actually delivering it, and the Hide My Email situation represents a year-long gap between Apple's privacy marketing and the technical reality that iCloud+ subscribers were paying for. Closing that gap with a working fix and a transparent accounting of what went wrong and for how long is the minimum the situation warrants.

Related Topics: #Apple #HideMyEmail #iCloudPlus #PrivacyBug #CyberSecurity #DataPrivacy #EasyOptOuts #Technology #AppleSecurity #UserPrivacy