Apple Hide My Email Flaw Exposes 100% of Tested Real Addresses
Updated
Updated · 9to5Mac · Jul 1
Apple Hide My Email Flaw Exposes 100% of Tested Real Addresses
3 articles · Updated · 9to5Mac · Jul 1
Summary
Tyler Murphy said every Hide My Email address he tested could be used to uncover the real email tied to the Apple account, exposing a privacy feature meant to mask users’ identities.
Murphy said he reported the flaw to Apple in June 2025, Apple later said it was fixed in March 2026, but his follow-up testing found the issue still exploitable.
404 Media said it independently verified the bug on Monday with one of its own hidden addresses and withheld technical details because attackers could still abuse it.
Apple had asked Murphy not to disclose the flaw until it was resolved and had said it planned a June fix, but he went public after more than a year without a remedy.
The disclosure lands as Apple prepares to shift Hide My Email addresses to the private.icloud.com domain, a separate change that had already drawn privacy concerns.