Apple leaves Hide My Email bug unfixed for a year

A privacy safeguard meant to hide users’ real email addresses in Apple’s “Hide My Email” feature still hasn’t been fixed more than a year after it was reported. A researcher says the vulnerability can let attackers infer a hidden address, and Apple’s own timel
For more than a year. “Hide My Email” has been one of Apple’s quiet privacy promises: send messages without handing over your real address. But the protection is now facing a blunt test. A vulnerability was discovered that allows an attacker to work out your real email address — and it hasn’t been fixed for over a year.
The issue centers on a feature designed to cut spam at the source. Hide My Email lets Apple users communicate with services and companies without exposing their actual inbox. The promise is practical in everyday life: you can sign up. move on. and keep your real email out of marketing lists and databases.
Even so, the feature isn’t foolproof. A report from 404Media says the privacy feature can be beaten, and that the exact details of the vulnerability haven’t been shared because Apple still hasn’t acted to fix it. Testing on Monday by the publication verified that the problem is still present.
The person who found it, and who pushed it to Apple early, is Tyler Murphy, co-founder of EasyOptOuts. Murphy discovered the issue in June 2025 and responsibly reported it to Apple as well as the publication. Twelve months later, the vulnerability remains.
Murphy says the issue was reported and that instructions to replicate it were provided to Apple. He doesn’t know why it hasn’t been fixed. but he also didn’t feel comfortable waiting longer before speaking up. “Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses. ” he declared.
In Murphy’s view, the risk isn’t theoretical. He points to free websites accessible to the public that link email addresses to other personal details. Anyone relying on Hide My Email may be pulled into that exposure — identified through tools that can connect an address to more than just an inbox.
Apple’s investigation timeline shows a long stretch between acknowledgement and results. One month after Murphy contacted Apple, it confirmed it was looking into the issue. In March 2026. Apple said it had “addressed the reported issue in a recent system change.” Murphy later found the hole hadn’t been plugged.
More information was provided to Apple again. A month later, Apple replied that it was doing more checks. By May, Apple updated Murphy by insisting it was still investigating the problem, and it also asked him to hold off disclosing it until after the investigation concluded.
Murphy responded with a proposal: Apple could stop selling access to Hide My Email until a fix was available, as a way to reduce the number of users exposed.
By the end of May, Apple told Murphy that it would be addressed in a security update “expected in the coming weeks.” After the publication contacted Apple multiple times following Murphy’s alert, it did not get a response.
Even while the bug remains, there’s another moving part around Hide My Email and Apple sign-in. The vulnerability’s exact fix date is still unknown, but changes to related service infrastructure could arrive alongside it — and some of those shifts may create new friction for users.
A June 15 developer notice warned that the email domains used for Sign In with Apple and Hide My Email will be updated in the future. The intention is for email providers and developers to update their systems ahead of the changeover.
In practice, the relay email addresses for Hide My Email would change from the domain iCloud.com to private.icloud.com. Sign In With Apple, which currently creates relay addresses ending with privaterelay.appleid.com, is set to move to the private.icloud.com version.
The concern is straightforward: nothing stops a website or newsletters from blocking email addresses using private.icloud.com. If that happens, users may be pushed to sign up using another legitimate account.
For Hide My Email specifically, Murphy’s worry is that the change removes “source ambiguity” that currently protects the service and its users — and that makes relay addresses more clearly identifiable for systems that treat them differently.
The sequence is stark: a vulnerability tied to Hide My Email was reported in June 2025 with instructions to replicate it. Apple said it was investigating it and later claimed it was addressed in March 2026. but testing verified it still exists after that. At the same time. Apple is preparing domain changes that could reshape how relay emails are treated by the outside world. while users are still waiting for the privacy hole to be sealed.
As of now, Hide My Email remains a widely used privacy tool. Yet the facts on the ground are hard to ignore: more than a year after discovery and reporting, an attacker may still be able to infer a hidden address — and the fix has not landed.
Apple Hide My Email privacy bug email security Tyler Murphy EasyOptOuts iCloud.com private.icloud.com Sign in with Apple relay emails
Apple “privacy” lol
So basically Hide My Email doesn’t actually hide it? I feel like this should’ve been fixed immediately if it’s been a year. Like what’s the point then.
Maybe it’s only a problem if you’re texting like… certain companies? Or if you’re using iMessage? The article says attackers can infer your real address but I don’t fully get how. Apple probably had to “retest” or whatever. Also Tyler Murphy sounds like he’s trying to promote something with that EasyOptOuts name.
A year is crazy. I always thought Hide My Email was the whole reason to trust Apple with email stuff, especially for signing up for stuff without getting spammed. If attackers can figure it out, then I’m just exposing myself anyway?? And why wouldn’t Apple tell people what happened? I saw this coming though, like these “privacy” features are always half-baked.