Hide My Email Vulnerability Unfixed for Over a Year, Apple Says It’s Investigating

What You Need to Know
- Hide My Email vulnerability remained unpatched for over a year after June 2025 discovery.
- Apple claimed to fix the flaw in March 2026, but the vulnerability remained exploitable.
- All Hide My Email addresses tested were found exploitable, achieving 100% success rate in tests.
- Exposed email addresses can be linked to personal details through public people-search databases.
Apple’s Hide My Email feature, designed to shield users’ real addresses behind randomly generated aliases, has carried an unpatched vulnerability for more than a year. Tyler Murphy, co-founder of EasyOptOuts, discovered the flaw and reported it to Apple in June 2025, along with full replication instructions. Apple acknowledged the report a month later and said it was investigating.
The failure to fix it is the more uncomfortable story here. In March 2026, Apple told Murphy it had “addressed the reported issue in a recent system change,” but Murphy confirmed the flaw remained exploitable. He submitted further details, and Apple responded again to say it was still investigating.
404 Media verified the vulnerability this week using one of its own Hide My Email addresses and is withholding technical specifics because the flaw is still active. In tests Murphy ran with volunteers, every single Hide My Email address tested was found to be exploitable, a 100% hit rate across the sample.
What the exposure actually means
Hide My Email is an iCloud+ feature that generates random alias addresses for use when signing up to services or corresponding with third parties. Its core promise is that a user’s real address stays hidden. Murphy pointed out that freely available people-search databases can tie an email address to a person’s name, location, and other personal details, meaning anyone relying on the feature for personal safety faces a risk they almost certainly do not know exists.
Murphy proposed Apple suspend new Hide My Email address creation as an interim measure while the fix was pending. There is no indication that suggestion was acted on. By May, Apple said a security update was “expected in the coming weeks” and asked Murphy not to disclose the issue publicly until the inquiry was complete. He declined to wait further.
A separate problem surfaced last month: Apple’s move of Hide My Email to a dedicated private.icloud.com domain appears to make it easier for platforms to block iCloud aliases outright, adding another layer of friction for a feature already under pressure.
0 Comments