An Apple Hide My Email vulnerability could allow attackers to uncover users’ real email addresses, according to a security researcher who says Apple has not fully resolved the issue more than a year after receiving the initial report. Although the company previously claimed it had fixed the flaw, the researcher says users remain at risk.

Researcher Discovers Flaw in Hide My Email

Apple created Hide My Email to help users keep their personal email addresses private. The feature generates unique email aliases that forward messages to a user’s primary inbox, allowing people to register for websites, newsletters, and online services without sharing their real email address.

Security researcher Tyler Murphy, co-founder of EasyOptOuts, discovered a vulnerability that could expose the real email address behind one of those aliases.

Murphy reported the flaw to Apple and waited more than a year for a permanent fix. After repeated delays, he decided to disclose the issue publicly, saying he no longer felt comfortable waiting.

Apple Acknowledged the Report but the Flaw Remains

Murphy first contacted Apple about the vulnerability in June 2025, and the company confirmed that it was reviewing the report.

In March 2026, Apple informed Murphy that a recent system change had resolved the issue.

However, Murphy continued testing the feature and found that the vulnerability still worked. Apple continued investigating the problem through May and asked him not to disclose the flaw while the investigation remained ongoing.

Technology publication 404 Media independently verified the vulnerability but chose not to reveal technical details that attackers could exploit while Apple continued working on a fix.

Apple Plans Another Security Update

After additional discussions with Murphy, Apple reportedly said it would address the vulnerability in a future security update instead.

As of the report’s publication, the company had still not released a complete fix, despite previously indicating that it had already resolved the problem.

The continued delay raises fresh questions about the reliability of one of Apple’s core privacy protections.

Planned Domain Change Could Create Compatibility Issues

Apple also plans to simplify its email privacy services by moving both Hide My Email and Sign in with Apple aliases to the new @private.icloud.com subdomain.

The company currently uses @icloud.com and @privaterelay.appleid.com for these services.

While the change should make Apple’s email relay system more consistent, it could also create new problems. Some websites and online services may reject email addresses using the new domain, making the privacy feature less useful for everyday registrations.

Users Should Not Assume Complete Privacy

The ongoing Apple Hide My Email vulnerability shows that privacy features require continuous security testing and timely fixes to remain effective. Although Apple acknowledged the issue and promised additional updates, Murphy’s findings suggest that users cannot yet rely on Hide My Email to fully conceal their real email addresses in every situation. Until Apple releases a permanent fix, users should treat the feature as an extra layer of privacy rather than complete protection.


0 responses to “Apple Hide My Email Flaw Still Exposes Real Email Addresses”