A security flaw in Apple’s Hide My Email bug has left millions of iCloud Plus subscribers potentially exposed — their real email addresses quietly visible to anyone willing to use a basic identity search tool. That’s not a theoretical risk. According to Tyler Murphy, co-founder of Easy Opt Out, every single Hide My Email address tested was exploitable.
Summary
Key takeaways
- A vulnerability in Apple’s Hide My Email service allows anyone to uncover a user’s real email address using publicly accessible identity search tools.
- Tyler Murphy of Easy Opt Out notified Apple of the bug in June 2025; Apple claimed a fix in March 2026, but the vulnerability persisted.
- Tests on volunteers showed a 100% exploitation rate across all Hide My Email addresses tested.
- Apple planned updates including a domain change from icloud.com to private.icloud.com, though the timeline for a complete fix remains unclear.
- Experts advise iCloud Plus subscribers to temporarily stop using Hide My Email until the issue is resolved.
Security Flaw Exposes Real Emails in Apple’s Hide My Email
Hide My Email is built on a straightforward promise: you sign up for a website using a disposable alias under the icloud.com domain, and your actual inbox stays invisible. The alias absorbs spam, expires on schedule, and keeps your identity clean. For the roughly one dollar a month iCloud Plus costs at its entry tier, it looks like solid privacy hygiene.
That promise has a serious crack in it. Murphy told 404 Media, which first reported and verified the vulnerability, that publicly accessible people-search sites make it easy to link a Hide My Email address to other personal details, meaning anyone motivated enough — a data broker, a stalker, a scammer — doesn’t need sophisticated hacking skills to work backward from an alias to a real inbox.
Easy Opt Out ran controlled tests with volunteers, and the results were stark: 100% of the Hide My Email addresses tested could be used to uncover the user’s real email address through identity search tools available to the general public. Murphy declined to publicly describe the exact mechanics of the exploit, and 404 Media withheld technical specifics at the time of reporting to prevent immediate mass exploitation.
The implications are harder to ignore given the nature of the feature. Hide My Email exists precisely for situations where exposure carries real consequences — signing up for services that might later be breached, limiting data broker visibility, protecting users in sensitive circumstances. Murphy specifically warned that “people relying on Hide My Email for safety may be at risk,” a statement that elevates this beyond a niche technical problem.
Discovery, Reporting, and Apple’s Response Timeline
Early discovery and reporting in June 2025
Murphy first alerted Apple to the vulnerability in June 2025 — more than a year before the public disclosure. That timeline alone is worth pausing on. A privacy feature in active commercial use, with a known and verified security flaw, went unpatched through an entire year of user exposure.
Apple’s March 2026 fix claim and the bug’s persistence
In March 2026, Apple told Murphy the problem had been addressed. Murphy checked. It hadn’t been. The vulnerability was still fully exploitable after Apple’s claimed remediation, raising questions about the rigor of the internal testing that preceded that assurance.
Disagreement over public disclosure
By May 2026, Apple acknowledged it was still investigating and asked Murphy to hold off on going public. Apple’s message was direct: “To avoid placing our customers at risk, we would appreciate you not disclosing this information until our investigation is complete.” Murphy disagreed. He went public anyway, arguing that users deserved to know about a risk that had already persisted for over a year without resolution.
That disagreement reflects a real tension in security research. Coordinated disclosure — where researchers give companies time to patch before publishing — is standard practice and generally protective. But when a company misses its own stated fix deadline, continues to delay, and still offers no confirmed resolution date, researchers face a difficult call. Murphy’s position: continued silence meant continued exposure for users who had no idea their privacy tool was compromised.
Apple did not respond to requests for comment from either 404 Media or CNET following the public disclosure.
Implications for Users and Planned Updates by Apple
For anyone currently using Hide My Email, the practical advice from security experts is straightforward: stop using the feature temporarily until Apple confirms a working fix. The risk isn’t abstract — it’s that every alias you’ve used can potentially be traced back to your real inbox by someone with access to standard data broker tools.
Apple has indicated it is working on several updates to the feature this summer. The most concrete change disclosed is a domain switch from icloud.com to private.icloud.com. The reasoning behind that specific change hasn’t been explained publicly, and the new subdomain structure carries its own complications.
If websites and services start recognizing and blocking addresses that end in private.icloud.com — which is a realistic outcome, since many platforms already flag or reject known alias domains — Hide My Email users could find themselves forced back to sharing their real addresses. That would effectively defeat the feature’s core purpose. Whether Apple has accounted for that downstream effect in its update planning remains an open question.
This isn’t Apple’s first collision between its privacy branding and the actual performance of its privacy tools. In 2022, iPhone apps were found sending analytics data to Apple even with the iPhone Analytics setting disabled. In 2023, the MAC address randomization feature meant to anonymize Wi-Fi connections was found to be exposing users’ real MAC addresses instead. Each incident chipped away at the same foundation: Apple’s long-cultivated reputation as a company that takes user privacy seriously by default.
The Hide My Email vulnerability is different in one key respect — it affects a feature that users explicitly enable because they want to protect themselves. The gap between expectation and reality is widest precisely where the stakes are highest.
FAQ
What is the vulnerability discovered in Apple’s Hide My Email service?
A security flaw allows attackers to uncover users’ real email addresses linked to their Hide My Email aliases, using basic and publicly accessible identity search tools. Easy Opt Out’s tests showed a 100% exploitation rate across all addresses tested.
When did Apple first become aware of the Hide My Email bug?
Apple was notified about the vulnerability in June 2025 by Tyler Murphy, co-founder of Easy Opt Out.
Has Apple fixed the bug in Hide My Email?
Apple claimed to have fixed the issue in March 2026, but Murphy confirmed the vulnerability still existed after that date. As of the public disclosure in July 2026, Apple had not confirmed a working resolution.
What measures is Apple planning to improve Hide My Email security?
Apple plans to update Hide My Email by changing the email domain from icloud.com to private.icloud.com, among other updates expected later in the summer of 2026. Whether this fully closes the vulnerability has not been confirmed.
Article produced with the assistance of artificial intelligence and reviewed by the editorial team.

