1+ year-old Apple Hide My Email flaw unmasked 100% of aliases tested
Key Takeaways
- A critical privacy vulnerability in Apple's Hide My Email feature went unaddressed for over a year despite responsible disclosure, leaving users exposed to email unmasking.
- Cybersecurity researchers from EasyOptOuts found that 100% of tested aliases were reversible, and the flaw remains active as of July 2026.
- Apple acknowledged the bug, but a claimed March 2026 fix failed, highlighting lapses in vulnerability management.
Mentioned
Key Intelligence
Key Facts
- 1The vulnerability allows attackers to discover the real email address behind any iCloud+ Hide My Email alias.
- 2EasyOptOuts reported the flaw to Apple on June 11, 2025, with reproduction steps provided on June 13, 2025.
- 3Apple initially acknowledged the bug as unintended within two days, but a claimed fix on March 3, 2026, failed to resolve the issue.
- 4In tests with volunteers, 100% of Hide My Email addresses were exploitable, including a newly generated alias for journalist Joseph Cox.
- 5As of July 1, 2026, more than 13 months after disclosure, the vulnerability remains unpatched and actively exploitable.
- 6404 Media independently verified the exploit and is deliberately withholding its technical details to protect users.
EasyOptOuts tested with volunteers; 404 Media confirmed on a freshly generated alias
Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.
To 404 Media upon public disclosure
Analysis
For cybersecurity professionals, this incident is a textbook case of how even a responsible disclosure process can break down when vendors fail to validate patches. EasyOptOuts followed protocol: they reported the bug, supplied proof-of-concept steps, and waited. Apple’s acknowledgment and subsequent botched fix underscore the need for continuous third-party verification and transparent communication. With over 225 million iCloud+ subscribers potentially affected, the attack surface for credential harvesting and spear-phishing just widened dramatically—and the exploit still works.
Apple's Hide My Email, a flagship privacy feature bundled with iCloud+, has been leaking the real email addresses it was designed to conceal for more than a year, according to security researchers who reported the flaw to the company in June 2025. The vulnerability, which remains active and unpatched as of July 2026, allows any attacker to unmask the true inbox associated with any randomly generated Hide My Email alias. In tests conducted by EasyOptOuts, the privacy firm that discovered the issue, the exploit succeeded on 100% of aliases—including a fresh address created specifically for 404 Media journalist Joseph Cox, whose real email was recovered within minutes. Independently, 404 Media verified the flaw before publishing, but is withholding the technical details to prevent immediate weaponization.
On June 11, 2025, EasyOptOuts co-founders Tyler Murphy and his colleague Ben filed a report with Apple.
The disclosure timeline reveals a troubled remediation process. On June 11, 2025, EasyOptOuts co-founders Tyler Murphy and his colleague Ben filed a report with Apple. Within two days, Apple acknowledged that the behavior "was not intended by design," confirming it as a legitimate bug. The researchers submitted detailed reproduction steps on June 13, added further context on June 20, and reported a second related vulnerability on July 9; by July 14, Apple stated both were under review. Yet the months that followed brought no patch. On March 3, 2026, Apple informed the researchers that it had "addressed" the issue. However, Murphy found the exploit still functional, and subsequent tests by 404 Media this week confirm its continued viability.
What to Watch
This protracted gap between initial disclosure and effective remediation—spanning more than 380 days—raises serious concerns about Apple's vulnerability management processes. Hide My Email is marketed as a cornerstone of digital privacy for individuals signing up for newsletters, trial accounts, or one-off purchases without risking spam or phishing. By failing to close the loophole, Apple has left hundreds of millions of iCloud+ subscribers exposed to potential deanonymization. Cybercriminals who discover the technique could harvest real inboxes at scale, fueling credential-stuffing campaigns, targeted phishing, or social engineering attacks. Journalists, activists, and other at-risk users who rely on the feature for operational security face especially grave consequences.
The incident also underscores a familiar tension in vulnerability disclosure: even when a vendor engages constructively, a patch that is not properly validated can perpetuate risk. Apple's public silence on the matter—no security advisory, no update to its iCloud+ privacy claims—further erodes trust. While the exploit’s mechanics remain undisclosed for now, the fact that a small research team could iterate and a journalist could independently confirm the bug strongly implies that skilled adversaries may have already reverse-engineered it. Users have little recourse short of abandoning the feature or auditing forwarded mail flows, which defeats the purpose. For Apple, the episode is a stark reminder that marketing privacy is no substitute for engineering it—and that the clock on responsible disclosure runs both ways.
Timeline
Timeline
Initial vulnerability report
EasyOptOuts co-founders Tyler Murphy and Ben report the flaw to Apple, noting that Hide My Email aliases can be reversed to reveal the real inbox.
Reproduction steps submitted
Researchers provide Apple with detailed steps to reproduce the exploit, enabling the vendor to trigger the behavior.
Additional details shared
EasyOptOuts supplies further information to assist Apple's investigation.
Second related vulnerability reported
A separate, allied vulnerability in the same feature is disclosed to Apple.
Apple confirms both issues under review
Apple acknowledges receipt and states that both the original and second vulnerability are being examined.
Apple claims fix is deployed
Apple notifies EasyOptOuts that the vulnerability has been addressed. Subsequent testing reveals no actual change; exploit remains functional.
404 Media independent verification
404 Media validates the flaw using its own alias and confirms the vulnerability persists. Publication follows days later after a final failed check.
Sources
Sources
Based on 2 source articles- Technology Desk (in)Apple’s Hide My Email Has Hidden Almost Nothing for Over a Year, Researchers SayJul 1, 2026
- Matt Binder (us)Apple’s ‘Hide My Email’ feature is reportedly leaking email addressesJul 1, 2026
How we covered this story
Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.
Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.
| Signal on this page | What it tells you |
|---|---|
| Verified by N sources | Independent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly. |
| Impact score (1-10) | Regulatory + financial + operational weight. 8+ signals an experienced-operator action item. |
| Sentiment | Five-tier classification trained on labeled cybersecurity-specific corpora. |
| Timeline | Where applicable, the related-events sequence that contextualizes today's development. |