Apple's Hide My Email Vulnerability Exposes Real Addresses, Company Knew for Over a Year

Within five minutes, he had their actual email.
A researcher tested the Hide My Email vulnerability and successfully exposed a journalist's real address in under five minutes.

Apple's Hide My Email feature, designed to shield users from data brokers and breaches by generating anonymous email aliases, has been quietly failing at its core promise. A researcher discovered that free public databases can reverse-engineer real addresses from aliases in minutes — and Apple has known about this for over a year. In the broader human story of trust between technology companies and the people who rely on them, this is a familiar and sobering chapter: a privacy tool that offered shelter turned out to have a door left open.

  • A security researcher demonstrated that Apple's Hide My Email aliases can be unmasked in under five minutes using freely available people-search databases — exposing the real addresses users believed were hidden.
  • Apple was first alerted to the flaw in June 2025, claimed to have patched it in March 2026, but the exploit continued to work — leaving users unknowingly exposed for more than a year.
  • The researcher ultimately went public against Apple's request for silence, arguing that users deserved to know they were relying on a compromised tool.
  • A separate planned change — shifting alias domains from @icloud.com to @private.icloud.com — threatens to make aliases visibly identifiable, potentially allowing services to block them outright.
  • Users who built their privacy routines around Hide My Email now face an uncomfortable choice: continue using a known-broken feature or scramble for alternatives Apple has not yet provided.

Apple's Hide My Email is built on a simple and appealing premise: generate a random alias so that the services you sign up for never learn your real address. If a company is hacked or sells your data, the damage stops at the alias. Except, as reported by 404 Media, that premise no longer holds.

Researcher Tyler Murphy, co-founder of EasyOptOuts, demonstrated the flaw by accepting a single alias from a journalist and returning their real email address within five minutes — using only free, publicly available people-search databases. He repeated the test on other aliases. It worked every time.

What sharpens the concern is the timeline. Murphy first reported the vulnerability to Apple in June 2025. Apple acknowledged it, investigated, and announced a patch in March 2026. The patch didn't work. Murphy checked, confirmed the exploit still functioned, and contacted Apple again. By May 2026 — more than a year after his initial report — Apple told him it was still looking into the issue and asked him to stay quiet in the meantime. Murphy decided the people depending on the feature had a right to know it was broken.

The vulnerability arrives alongside a separate threat to the feature's usefulness. Apple reportedly plans to change alias domains from @icloud.com to @private.icloud.com. That small typographical shift would strip away the feature's most valuable quality: the ability to blend in. Aliases currently look like ordinary iCloud addresses. Flagging them with the word "private" would make them immediately recognizable — and blockable — by any service a user tries to join.

For those who have trusted Hide My Email as a reliable layer of privacy, the situation is genuinely uncomfortable. The shield has a hole in it, the company that built it has known for over a year, and the path forward remains unclear.

You set up a new account somewhere you don't quite trust, so you reach for Apple's Hide My Email. The feature generates an alias—something like [email protected]—and you use that instead of your real address. If the company gets hacked or sells your data, they never had your actual email. That's the whole point. Except, according to reporting from 404 Media, that protection is broken.

The vulnerability works like this: someone with access to free, publicly available people-search databases can cross-reference your Hide My Email alias and pull out your real address. It takes minutes. Researcher Tyler Murphy, co-founder of EasyOptOuts, tested it with a journalist from 404 Media. They sent Murphy one of their aliases. Within five minutes, he had their actual email. When Murphy tried the same technique on other aliases, it worked every time.

What makes this worse is the timeline. Murphy first reported the flaw to Apple in June 2025. Apple acknowledged the problem a month later and said it was investigating. Then in March 2026, Apple announced it had patched the vulnerability. Except it hadn't. When Murphy checked again, the exploit still worked. He contacted Apple a second time. The company confirmed in May 2026 that it was still looking into the issue—more than a year after the initial report. Apple asked Murphy to keep quiet until a real fix was in place, to avoid putting users at risk. Murphy decided he couldn't do that. People were relying on a feature that Apple itself knew was compromised.

The timing is particularly bad because Hide My Email is already under pressure from another direction. TechCrunch reported that Apple plans to change the domain structure of its aliases from @icloud.com to @private.icloud.com. That small change would be a major blow to the feature's usefulness. Right now, Hide My Email aliases look like regular iCloud addresses—indistinguishable from real ones. If Apple slaps "private" in the domain name, every service you try to sign up for will immediately know you're using a mask. Some sites might block aliases outright. The whole point of the feature—to hide in plain sight—would evaporate.

For anyone who has built Hide My Email into their privacy routine, this is a difficult moment. The feature was supposed to be a reliable shield against data brokers and breaches. Instead, it turns out the shield has a hole in it, and the company that built it has known about the hole for over a year without fixing it. Apple's silence on both fronts—the vulnerability and the planned domain change—leaves users in a strange position: keep using a tool you now know is compromised, or scramble to find an alternative. Neither option is comfortable.

Almost anyone can tap into this vulnerability to learn the real email address behind any Hide My Email proxy.
— Tyler Murphy, co-founder of EasyOptOuts
Murphy said he didn't feel comfortable letting users continue to rely on Hide My Email without knowing about the risks.
— Tyler Murphy's position on disclosure
La Conversación del Hearth Otra perspectiva de la historia
Inventor

So the vulnerability itself—is it something a regular person could exploit, or does it require technical skill?

Model

That's the scary part. Murphy says "almost anyone" can do it. You don't need to be a hacker. You just need access to the same public people-search databases that data brokers use. Those are free and available to anyone.

Inventor

And Apple knew about this for over a year?

Model

Yes. Murphy reported it in June 2025. Apple said it patched it in March 2026. But when Murphy tested again, it still didn't work. So either the patch failed, or there was no real patch at all.

Inventor

Why would Apple claim to fix something it didn't actually fix?

Model

That's the question no one can answer yet. Maybe the patch was incomplete. Maybe Apple misunderstood the vulnerability. But the effect is the same: users were told they were safe when they weren't.

Inventor

And now Apple wants to make the aliases obviously identifiable?

Model

Right. Which defeats the entire purpose. If every service knows you're using an alias, they can reject it. The feature becomes useless.

Inventor

So what are people supposed to do?

Model

That's unclear. For now, people who rely on Hide My Email are stuck. They can keep using it and hope Apple actually fixes the vulnerability this time. Or they can switch to a third-party email masking service and hope that's more trustworthy. Neither option is great.

Quieres la nota completa? Lee el original en Lifehacker ↗
Contáctanos FAQ