Published 2 days ago • loading... • Updated 3 hours ago
Apple’s Hide My Email Feature Has an Unfixed Bug that Leaves Email Addresses Exposed
Researchers say the flaw affects every tested alias and could expose users to spam, breaches and identification through linked people-search databases.
A vulnerability in Apple's Hide My Email feature allows attackers to reveal users' real email addresses, with EasyOptOuts cofounder Tyler Murphy reporting that 100% of tested addresses were exploitable.
Murphy reported the issue to Apple in June 2025 with replication instructions, yet the vulnerability remained unpatched for over a year despite the company acknowledging the report.
Although Apple claimed to have addressed the flaw in March 2026, Murphy verified the vulnerability persisted; 404 Media independently confirmed the exploit this week while withholding technical details.
Users relying on the iCloud+ feature for safety remain exposed, as free, publicly accessible people-search sites can easily link discovered email addresses to other personal details.
Apple recently announced plans to move Hide My Email addresses to a dedicated 'private.icloud.com' domain, allowing services to block aliases, though this does not address the underlying security vulnerability.
Hiding My Email is one of Apple's pillars to ensure the privacy of users. This security mechanism that should protect users online is now under scrutiny. What it is...
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Daily Cyber Security podcast
Daily Cyber Security podcast
SANS Stormcast Thursday, July 2nd, 2026: MetaMask Phishing; Adobe Patches; Google Chrome Patches; Apple Hide-My-Email Vuln
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) discuss 404 Media’s report that an Apple Hide My Email flaw can reveal users’ real addresses, reportedly via bounce messages from oversized attachments.