404 Media is withholding the method specifics of the vulnerability due to the fact that it remains exploitable, but the work verified the contented this week utilizing 1 of its ain Hide My Email addresses. In tests with volunteers by the researcher who discovered the flaw, 100% of Hide My Email addresses were recovered to beryllium exploitable.
Tyler Murphy, co-founder of EasyOptOuts, discovered the contented and responsibly reported it to Apple successful June 2025, on with instructions to replicate it. Apple acknowledged the study a period aboriginal and said it was investigating. Murphy said:
Apple Hide My Email is leaking email addresses that are expected to beryllium hidden. We reported the contented and replication instructions to Apple implicit a twelvemonth ago. We don't cognize wherefore it hasn't been fixed, but we don't consciousness comfy waiting immoderate longer. Hide My Email users merit to cognize that it whitethorn beryllium imaginable for attackers to observe their hidden email addresses.
Free, publically accessible people-search sites marque it casual to nexus an email code to different idiosyncratic details, truthful radical relying connected Hide My Email for information whitethorn beryllium astatine risk.
In March 2026, Apple told Murphy it had "addressed the reported contented successful a caller strategy change," but Murphy recovered the flaw had not successful information been closed. He provided further information, and Apple replied again to accidental it was inactive investigating.
In May, Apple erstwhile much said the contented remained nether probe and asked Murphy not to disclose it publically until the enquiry was complete. Murphy projected that Apple suspend the instauration of caller Hide My Email addresses arsenic an interim measurement to bounds lawsuit risk, but determination is nary denotation that proposition was acted on. By the extremity of May, Apple said it expected to code the contented successful a information update "expected successful the coming weeks."
Hide My Email is an iCloud+ diagnostic that lets users make random alias email addresses, chiefly for usage erstwhile signing up to services oregon corresponding with 3rd parties. It is designed to support a user's existent email code from spam, information breaches, and unwanted identification.
Murphy noted that galore people-search databases are freely disposable online and tin necktie an email code to a person's different idiosyncratic details, meaning anyone depending connected Hide My Email for their information whitethorn beryllium much exposed than they realize. Last month, it emerged that Apple's determination to determination Hide My Email to a dedicated "private.icloud.com" domain appears to person the consequence of making it easier for platforms that privation to artifact ‌iCloud‌ aliases to bash so.
Tag: Apple Mail
This article, "Apple Hide My Email Vulnerability Exposes Real Email Addresses" archetypal appeared connected MacRumors.com
Discuss this article successful our forums
 (2).png)
1 hour ago
3











English (US) ·