Vulnerabilities Bearish 7

1+ year-old Apple Hide My Email flaw unmasked 100% of aliases tested

· 3 min read · Verified by 2 sources ·
Share

Key Takeaways

  • A critical privacy vulnerability in Apple's Hide My Email feature went unaddressed for over a year despite responsible disclosure, leaving users exposed to email unmasking.
  • Cybersecurity researchers from EasyOptOuts found that 100% of tested aliases were reversible, and the flaw remains active as of July 2026.
  • Apple acknowledged the bug, but a claimed March 2026 fix failed, highlighting lapses in vulnerability management.

Mentioned

Apple company AAPL Hide My Email product EasyOptOuts company 404 Media company Tyler Murphy person Joseph Cox person

Key Intelligence

Key Facts

  1. 1The vulnerability allows attackers to discover the real email address behind any iCloud+ Hide My Email alias.
  2. 2EasyOptOuts reported the flaw to Apple on June 11, 2025, with reproduction steps provided on June 13, 2025.
  3. 3Apple initially acknowledged the bug as unintended within two days, but a claimed fix on March 3, 2026, failed to resolve the issue.
  4. 4In tests with volunteers, 100% of Hide My Email addresses were exploitable, including a newly generated alias for journalist Joseph Cox.
  5. 5As of July 1, 2026, more than 13 months after disclosure, the vulnerability remains unpatched and actively exploitable.
  6. 6404 Media independently verified the exploit and is deliberately withholding its technical details to protect users.
Aliases Exploitable
100%

EasyOptOuts tested with volunteers; 404 Media confirmed on a freshly generated alias

Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.

Tyler Murphy Cofounder, EasyOptOuts

To 404 Media upon public disclosure

Analysis

For cybersecurity professionals, this incident is a textbook case of how even a responsible disclosure process can break down when vendors fail to validate patches. EasyOptOuts followed protocol: they reported the bug, supplied proof-of-concept steps, and waited. Apple’s acknowledgment and subsequent botched fix underscore the need for continuous third-party verification and transparent communication. With over 225 million iCloud+ subscribers potentially affected, the attack surface for credential harvesting and spear-phishing just widened dramatically—and the exploit still works.

Apple's Hide My Email, a flagship privacy feature bundled with iCloud+, has been leaking the real email addresses it was designed to conceal for more than a year, according to security researchers who reported the flaw to the company in June 2025. The vulnerability, which remains active and unpatched as of July 2026, allows any attacker to unmask the true inbox associated with any randomly generated Hide My Email alias. In tests conducted by EasyOptOuts, the privacy firm that discovered the issue, the exploit succeeded on 100% of aliases—including a fresh address created specifically for 404 Media journalist Joseph Cox, whose real email was recovered within minutes. Independently, 404 Media verified the flaw before publishing, but is withholding the technical details to prevent immediate weaponization.

On June 11, 2025, EasyOptOuts co-founders Tyler Murphy and his colleague Ben filed a report with Apple.

The disclosure timeline reveals a troubled remediation process. On June 11, 2025, EasyOptOuts co-founders Tyler Murphy and his colleague Ben filed a report with Apple. Within two days, Apple acknowledged that the behavior "was not intended by design," confirming it as a legitimate bug. The researchers submitted detailed reproduction steps on June 13, added further context on June 20, and reported a second related vulnerability on July 9; by July 14, Apple stated both were under review. Yet the months that followed brought no patch. On March 3, 2026, Apple informed the researchers that it had "addressed" the issue. However, Murphy found the exploit still functional, and subsequent tests by 404 Media this week confirm its continued viability.

What to Watch

This protracted gap between initial disclosure and effective remediation—spanning more than 380 days—raises serious concerns about Apple's vulnerability management processes. Hide My Email is marketed as a cornerstone of digital privacy for individuals signing up for newsletters, trial accounts, or one-off purchases without risking spam or phishing. By failing to close the loophole, Apple has left hundreds of millions of iCloud+ subscribers exposed to potential deanonymization. Cybercriminals who discover the technique could harvest real inboxes at scale, fueling credential-stuffing campaigns, targeted phishing, or social engineering attacks. Journalists, activists, and other at-risk users who rely on the feature for operational security face especially grave consequences.

The incident also underscores a familiar tension in vulnerability disclosure: even when a vendor engages constructively, a patch that is not properly validated can perpetuate risk. Apple's public silence on the matter—no security advisory, no update to its iCloud+ privacy claims—further erodes trust. While the exploit’s mechanics remain undisclosed for now, the fact that a small research team could iterate and a journalist could independently confirm the bug strongly implies that skilled adversaries may have already reverse-engineered it. Users have little recourse short of abandoning the feature or auditing forwarded mail flows, which defeats the purpose. For Apple, the episode is a stark reminder that marketing privacy is no substitute for engineering it—and that the clock on responsible disclosure runs both ways.

Timeline

Timeline

  1. Initial vulnerability report

  2. Reproduction steps submitted

  3. Additional details shared

  4. Second related vulnerability reported

  5. Apple confirms both issues under review

  6. Apple claims fix is deployed

  7. 404 Media independent verification

Sources

Sources

Based on 2 source articles

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.