Apple’s Hide My Email has a Vulnerability in it and the company has known for over a year

The CyberSec Guru

Updated on:

Apple Hide My Email Bug Exposes Real Addresses

If you like this post, then please share it:

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Why your support matters: Zero paywalls: Keep the main content 100% free for learners worldwide.

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

Tyler Murphy, co-founder of the data removal service EasyOptOuts, found a way to unmask the real address behind any Hide My Email alias and reported it to Apple in June 2025, along with instructions to replicate it. Apple acknowledged the report a month later and said it was investigating. Twelve months and change later, the bug is still live. 404 Media confirmed it works this week, and Murphy says he is done waiting quietly for Apple to act.

Apple's Hide My Email Feature
Apple’s Hide My Email Feature

What Hide My Email

Hide My Email sits inside iCloud+, Apple’s paid storage and privacy tier. It generates disposable forwarding addresses, typically two random words plus a number ending in @icloud.com, that route incoming mail to a user’s real inbox without exposing that inbox to whoever is on the other end of the signup form. The pitch is straightforward: cut down on spam, avoid tying accounts to a real identity, and limit what a data breach at some random shopping site or newsletter can expose about you. It works the same way as a mail relay: the alias exists purely as a forwarding record on Apple’s servers, with the actual delivery destination hidden from the sender.

That hidden destination is exactly what Murphy figured out how to pull.

A year of “we’re looking into it”

According to messages Murphy shared with 404 Media, the timeline goes like this. He filed the report in June 2025 with steps to reproduce the flaw. Apple replied a month later saying it was under review. Nothing happened for months. Then in March 2026, Apple told Murphy it had “addressed the reported issue in a recent system change,” but Murphy found the flaw had not in fact been closed. He sent Apple more detail. Apple came back and said, again, that it was looking into it.

By May, Apple was still telling him the investigation was ongoing and asked him to hold off on going public until it wrapped up. Murphy pushed back with a fairly obvious mitigation: stop selling new Hide My Email addresses until the hole is patched. By the end of May, Apple said it expected to address the issue in a security update “expected in the coming weeks.”

That was the last straw for Murphy. He told 404 Media, “We don’t feel comfortable waiting any longer.”

The test

To confirm the bug was real and current, a 404 Media reporter generated a brand new Hide My Email alias and handed it to Murphy with nothing else. About five minutes later, he sent back the real Apple ID address tied to the account. In Murphy’s own testing with a small group of volunteers, every single Hide My Email address they checked could be reversed this way. He is careful to note that the volunteer sample was limited and the real scope across all iCloud+ users is unknown, but a 100 percent hit rate on a live production system is not a small thing to sit on for a year.

404 Media is deliberately not publishing how the exploit works, and neither will I, because it is still functional as of this week. What’s known publicly is that it does not require any special access, account compromise, or social engineering of the target. Someone only needs the alias itself.

There is one piece of community speculation worth mentioning, and it is speculation, nothing more. On the MacRumors forums, users digging through the reporting floated the idea that the leak might involve sending a deliberately malformed message to a Hide My Email address and reading the bounce, since a non-delivery report can sometimes carry the underlying forwarding target in its headers depending on how the mail transfer agent constructs the failure notice. If that theory holds, it would be a configuration issue in how Apple’s relay infrastructure handles rejected or malformed mail rather than a flaw in the alias generation itself, and it would explain why a fix has been elusive: patching bounce handling without breaking legitimate delivery failure notifications across a system serving hundreds of millions of accounts is not trivial. Again, unconfirmed. Take it as informed guesswork, not a technical writeup.

Why this matters more than a typical spam-avoidance bug

Hide My Email gets marketed as spam control, but plenty of people use it as an actual safety layer. Domestic violence survivors, journalists, people avoiding a specific harasser, anyone trying to keep a people-search site from linking their name to their inbox. Murphy pointed out the part that makes this dangerous rather than just annoying: free, public people-search databases can take a real email address and immediately chain it to a name, a home address, phone numbers, relatives, and more. An alias that can be reversed in five minutes is not providing the protection it claims to.

The domain change makes things worse in a different way

Separately, and with unfortunate timing, Apple announced on June 16 that in the coming weeks the company will move its anonymously generated email addresses to @private.icloud.com, effectively making it easier for apps and websites to know that an email address is a masked one and block it outright. Right now Hide My Email addresses share the same @icloud.com domain as every regular iCloud user, which is precisely why they cannot be filtered out without also blocking legitimate iCloud users. Move the aliases to their own subdomain and that camouflage disappears.

Officially, Apple frames this as consolidation. Sign in with Apple addresses, previously issued on privaterelay.appleid.com, will be issued on private.icloud.com, and iCloud+ Hide My Email addresses, previously issued on icloud.com, will be issued on private.icloud.com. Existing addresses on the legacy domains will continue to work and forward mail without interruption. Developers are being told to update allowlists, and mail providers are being told to update their filtering and suppression rules to recognize the new domain. All reasonable from an infrastructure standpoint. The side effect is that a single subdomain block rule now instantly identifies and can reject any Apple-masked address, old exploit or not.

So you have two separate problems landing in the same window: aliases that leak the address they are supposed to hide, and an architecture change that makes those same aliases trivially detectable and blockable at the DNS level. Neither one was designed to compound the other, but that is where things sit as of this week.

Apple’s response so far: none

404 Media says Apple did not respond to multiple requests for comment. No advisory, no CVE, no acknowledgment beyond the private back and forth with Murphy. For a company that leans hard on privacy as a selling point in its marketing, a known, reproducible, one hundred percent hit rate identity leak sitting unpatched for a year is a bad look regardless of how the eventual fix gets framed.

What to do right now

If you are relying on Hide My Email specifically because you need your real address kept away from a particular person or platform, do not treat the alias as a hard barrier at the moment. Consider a secondary alias service that is not implicated in this report as a stopgap for anything sensitive, and keep an eye on Apple’s security update notes for an actual fix rather than another “addressed in a recent system change” line that turns out not to be true. For everyday spam control, the risk calculus is different since the exposure is annoying rather than dangerous, but it is still worth knowing the protection is currently theoretical rather than real.

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Your contribution powers free tutorials, hands-on labs, and security resources.

Why your support matters:
  • Writeup Access: Get complete writeup access within 12 hours
  • Zero paywalls: Keep the main content 100% free for learners worldwide

Perks for one-time supporters:
☕️ $5: Shoutout in Buy Me a Coffee
🛡️ $8: Fast-track Access to Live Webinars
💻 $10: Vote on future tutorial topics + exclusive AMA access

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

If you like this post, then please share it:

News

Discover more from The CyberSec Guru

Subscribe to get the latest posts sent to your email!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from The CyberSec Guru

Subscribe now to keep reading and get access to the full archive.

Continue reading