Updated
Updated · 9to5Mac · Jul 1
Apple Hide My Email Flaw Exposes 100% of Tested Real Addresses
Updated
Updated · 9to5Mac · Jul 1

Apple Hide My Email Flaw Exposes 100% of Tested Real Addresses

3 articles · Updated · 9to5Mac · Jul 1

Summary

  • Tyler Murphy said every Hide My Email address he tested could be used to uncover the real email tied to the Apple account, exposing a privacy feature meant to mask users’ identities.
  • Murphy said he reported the flaw to Apple in June 2025, Apple later said it was fixed in March 2026, but his follow-up testing found the issue still exploitable.
  • 404 Media said it independently verified the bug on Monday with one of its own hidden addresses and withheld technical details because attackers could still abuse it.
  • Apple had asked Murphy not to disclose the flaw until it was resolved and had said it planned a June fix, but he went public after more than a year without a remedy.
  • The disclosure lands as Apple prepares to shift Hide My Email addresses to the private.icloud.com domain, a separate change that had already drawn privacy concerns.

Insights

If Apple failed to fix a known email flaw for a year, what other privacy risks are hiding in its ecosystem?
After repeated failures and domain changes, is Apple's 'Hide My Email' feature now doing more harm than good?