Key Takeaways:
- Researcher finds an Apple Hide My Email bug in Apple’s Hide My Email privacy feature.
- The vulnerability allows unauthorized parties to uncover hidden, masked email addresses.
- Apple has failed to resolve the reported issue for over one year.
Researcher Discovers Persistent Vulnerability In Apple Feature
A security researcher has uncovered a significant Apple Hide My Email bug that allows unauthorized parties to reveal a user’s actual email address, despite Apple’s claims of privacy protection.
Tyler Murphy, co-founder of the privacy firm EasyOptOuts, first reported the flaw to Apple in June 2025. According to reports confirmed by independent tests this week, the vulnerability remains active, potentially exposing the personal email accounts of millions of iCloud+ subscribers who rely on the service to mask their identity online.
“Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” Murphy said. “We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer.”
Apple Struggles To Patch Long-Standing Security Bug
Apple has acknowledged the issue multiple times since the initial report but has struggled to implement a permanent fix for the Apple Hide My Email bug. In March 2026, the company informed Murphy that a system change had addressed the concern, yet subsequent testing confirmed the vulnerability persisted.
By May, Apple reportedly requested that Murphy refrain from public disclosure while the investigation continued, promising a fix in an upcoming security update. However, with the bug still exploitable as of this week, Murphy and independent researchers at 404 Media decided to make the findings public to warn current users of the risks.
“In our limited tests with volunteers, 100 percent of Hide My Email addresses were exploitable,” Murphy noted. The researcher’s own assessments suggest the flaw could allow attackers to link masked addresses to real identities using publicly available people-search databases, significantly increasing the risk of harassment or data tracking.
Users Urged To Seek Alternatives As Investigations Continue
The failure to secure the feature raises questions regarding the reliability of Apple’s privacy-focused branding. While Apple has not yet issued a formal public statement or an official patch for the specific exploit, the company recently announced plans to transition Hide My Email aliases to a new “private.icloud.com” domain.
Cybersecurity experts warn that users relying on the service for high-stakes anonymity, such as avoiding harassment or protecting sensitive accounts, should consider alternative measures. “If you are relying heavily on ‘Hide My Email’ for acute safety, you should consider utilizing a temporary secondary service until Apple rolls out an official security patch,” one industry analyst suggested.
Apple spokespeople did not immediately provide a timeline for a definitive fix. For now, the Apple Hide My Email bug remains a stark reminder that even privacy-oriented tools are subject to persistent, unresolved software flaws that may compromise user safety.
Visit more of our news! CyberPro Magazine




