An unpatched vulnerability in Apple’s “Hide My Email” privacy feature can allow attackers — including those with limited technical skill — to discover the real email address behind an anonymized alias, according to researcher Tyler Murphy and independent tests by 404 Media. Apple was notified of the flaw over a year ago, with detailed reproduction steps provided under responsible disclosure, yet the vulnerability remains active in production services as of July 2026.
What Is Hide My Email?
Hide My Email is a privacy feature included with Apple’s iCloud+ subscription service, available across iPhone, iPad, and Mac. It generates unique, randomly created email relay addresses that forward messages to a user’s real inbox, while keeping the underlying email address completely hidden from apps, websites, and services that the user signs up with.
The feature is particularly popular among privacy-conscious users — journalists, activists, researchers, and individuals trying to limit tracking and spam. When creating an account on a third-party service, users can provide a Hide My Email alias instead of their real address, with Apple acting as an invisible relay. In theory, the alias cannot be linked back to the real identity.
The Vulnerability
According to Tyler Murphy, co-founder of EasyOptOuts (a personal data removal service), a flaw in the mechanism underpinning Hide My Email allows an attacker to resolve a Hide My Email alias back to the user’s real email address. The bug was independently validated by 404 Media, which confirmed it remained exploitable against one of its own hidden addresses as recently as this week.
Murphy’s team discovered the vulnerability through their work on data removal services, which involves processing and correlating large volumes of email addresses. They provided Apple with a full vulnerability report and detailed reproduction instructions more than a year ago, following standard responsible disclosure practices.
Apple acknowledged receipt of the report but has not deployed a fix, communicated a timeline for remediation, or offered affected users any mitigation guidance. After waiting over a year with no patch forthcoming, Murphy and 404 Media opted for partial disclosure: warning the public that the vulnerability exists and that Hide My Email aliases may be resolvable back to real identities, while withholding the specific exploitation steps to prevent trivial abuse.
Who Is At Risk?
Any iCloud+ subscriber who has used Hide My Email aliases to sign up for services is potentially affected. This includes users who relied on the feature to:
- Register accounts on third-party websites or apps while keeping their real email private
- Sign in to services using “Sign in with Apple” with a hidden email option enabled
- Submit tips or contact forms while anonymizing their identity
- Separate their personal identity from professional or activist activities
The risk is not merely theoretical. Because exploitation reportedly requires only limited technical skill, the attack model extends to ordinary actors — not just sophisticated adversaries. In practice, this means the vulnerability could be used to de-anonymize journalists’ sources, expose activists to retaliation, or enable targeted phishing campaigns against individuals who believed their email identity was protected.
Apple’s Response and the Vendor Silence Problem
Murphy stated publicly: “We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.”
Apple has not publicly commented on the disclosure. This situation illustrates a growing tension in vulnerability disclosure: when a major vendor receives a critical privacy vulnerability report through proper channels and fails to remediate or communicate for an extended period, researchers and journalists face a difficult choice between indefinite silence and partial public disclosure to warn affected users.
Interim Guidance for Affected Users
Until Apple releases a patch, users who rely on Hide My Email for privacy-sensitive contexts should take the following precautions:
- Treat aliases as potentially linkable: Do not assume that a Hide My Email alias is fully opaque. Until a fix is confirmed, treat aliases as weak pseudonyms rather than true anonymization.
- Use alternative solutions for high-risk contexts: For situations requiring stronger anonymization — such as whistleblowing, investigative journalism, or sensitive activism — consider alternative email aliasing services or dedicated anonymous communication tools with stronger privacy guarantees.
- Monitor for phishing targeting your primary address: If you have used Hide My Email aliases and begin receiving targeted phishing emails at your real address referencing services you signed up for with an alias, it may indicate the vulnerability has been used against you.
- Watch for an Apple security update: Monitor Apple Security Updates and apply any patch that addresses a vulnerability in Hide My Email or iCloud+ email relay services immediately upon release.
Secure Bulletin will update this article when Apple releases a patch or provides official guidance on the vulnerability.