Hide My Email Flaw Exposes Real Addresses for Year

Apple’s Hide My Email tool was meant to protect users by generating unique, random email addresses. New reporting says a vulnerability let real email addresses be uncovered for at least a year, and that the issue remained exploitable even after the researcher
A privacy feature Apple built to keep your real inbox out of sight has reportedly failed in a way that’s both simple and brutal: it can still point back to the person it was supposed to protect.
Back in 2021. Apple launched Hide My Email. a tool designed to let people sign up for online services using an email address that isn’t directly linked to them. The system generates “unique. random email addresses” that forward incoming messages to a user’s personal email address. cutting down the amount of information people hand over to companies.
But reporting released this week by 404 Media says a vulnerability in that setup has made it possible, for at least a year, for people’s real email addresses to be uncovered while they are using the privacy service.
Security researcher Tyler Murphy, who discovered the flaw in June 2025, told 404 Media that “Apple Hide My Email is leaking email addresses that are supposed to be hidden.” In “limited tests with volunteers,” he said, “100% of Hide My Email addresses were exploitable.”
The sharpest part is what those tests appear to demonstrate. In tests conducted by 404 Media and Murphy, it was possible for a newly created Hide My Email address—using the @icloud.com domain—to be linked back to the real email address of its creator.
Murphy said he first reported the problem to Apple last summer. He was told it had been “addressed” by March this year. Yet when he kept testing, the issue reportedly remained exploitable. Apple told Murphy a couple of months ago that it was still investigating the matter. and Apple did not respond to requests for comment from 404 Media.
The exact details of the vulnerability and how it works have not been revealed because the problem hasn’t been fixed.
That timeline—“addressed” by March. still investigatory a couple of months later. and exploitable in volunteer tests—lands a hard message for anyone using Hide My Email as a shield against tracking and unwanted access to their identity. The service was built around the promise of separation: use a mailbox that isn’t really yours. The new findings suggest the separation didn’t hold.
For now, Apple users who relied on Hide My Email to keep their real addresses hidden are left waiting for the fix, with the reported exposure framed not as a rare edge case, but as something that persisted for at least a year.
Apple Hide My Email privacy cybersecurity email leakage vulnerability Tyler Murphy 404 Media
So it hides my email but not really… cool cool.
I knew that Hide My Email was too good to be true. If it can link back, what’s even the point? Also Apple sitting on it for a year??
Wait, so the ‘random’ email wasn’t random and it’s basically just another way to track you? I saw something like this before with iCloud. They said it was fixed in March but then it still works so I’m confused.
Not surprised. Apple always says privacy and then it turns into a loophole. Like people want separate inboxes but if the test shows 100% exploitable then that means everyone’s screwed, right? I don’t even use Hide My Email half the time, but it feels like this is gonna get swept under the rug until the next iPhone release.