Apple's Hide My Email Flaw Exposes Real Addresses for Over a Year

Original: Security Roundup: Apple’s Hide My Email Service Fails to Hide Your Email

Why This Matters

A long-unpatched flaw in a major privacy feature undermines trust in Apple's ecosystem-wide privacy promises.

A vulnerability in Apple's Hide My Email service has allowed real email addresses to be traced from anonymous @icloud.com aliases for at least one year. Researcher Tyler Murphy reported the flaw to Apple in June 2025, but tests show it remains exploitable as of mid-2026.

Apple's Hide My Email, launched in 2021, generates random @icloud.com addresses that forward mail to a user's real inbox — designed to reduce personal data exposure. Security researcher Tyler Murphy discovered a vulnerability in June 2025 that allows anyone to reverse-engineer the real email address behind a Hide My Email alias. In tests conducted by Murphy and 404 Media, 100% of tested Hide My Email addresses were exploitable. Murphy initially reported the flaw to Apple in summer 2025 and was told it had been 'addressed' by March 2026. However, subsequent testing showed the vulnerability still active. Apple told Murphy a few months ago that it was 'still investigating.' Apple did not respond to requests for comment. Full technical details of the exploit have not been published, as the issue remains unpatched. In a separate story also covered in this roundup, 19-year-old Peter Stokes, an Estonian-US dual citizen, was extradited to the US from Finland to face DoJ charges including computer intrusion, conspiracy, and fraud for alleged involvement with the Scattered Spider hacking group.

Source

wired.com — Read original →