Apple Hide My Email Vulnerability Exposes Real Email Addresses
A flaw in Apple's Hide My Email service can reportedly allow almost anyone to uncover the real email address behind a generated alias, and Apple has failed to address it for more than a year since it was first reported. 404 Media is withholding the technical specifics of the vulnerability because it remains exploitable, but the publication verified the issue this week using one of its own Hide My Email addresses. In tests with volunteers by the researcher who discovered the flaw, 100% of Hide My Email addresses were found to be exploitable. Tyler Murphy, co-founder of EasyOptOuts, discovered the issue and responsibly reported it to Apple in June 2025, along with instructions to replicate it. Apple acknowledged the report a month later and said it was investigating. Murphy said: Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses. Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk. In March 2026, Apple told Murphy it had "addressed the reported issue in a recent system change," but Murphy found the flaw had not in fact been closed. He provided further information, and Apple replied again to say it was still investigating. In May, Apple once more said the issue remained under investigation and asked Murphy not to disclose it publicly until the inquiry was complete. Murphy proposed that Apple suspend the creation of new Hide My Email addresses as an interim measure to limit customer risk, but there is no indication that suggestion was acted on. By the end of May, Apple said it expected to address the issue in a security update "expected in the com