HeadlinesBriefing favicon HeadlinesBriefing.com

Apple's Hide My Email Flaw Leaks Real Addresses After Year-Long Delay

MacRumors •
×

Apple's Hide My Email service, designed to shield users from spam and data breaches, has a critical flaw allowing anyone to expose real email addresses linked to aliases. Tyler Murphy, co-founder of EasyOptOuts, discovered the issue in June 2025 and reported it to Apple, but the company failed to fix it for over a year. Murphy emphasized that 100% of test addresses were exploitable, with free people-search sites enabling attackers to tie leaked emails to personal details. Users relying on Hide My Email for privacy may face unintended exposure.

The vulnerability persists despite Apple’s repeated promises to address it. In March 2026, the company claimed it had “addressed the reported issue,” but Murphy confirmed the flaw remained active. Subsequent updates in May 2026 pushed the fix to “coming weeks,” yet no resolution has materialized. Apple’s shift of Hide My Email to a private.icloud.com domain inadvertently made it easier for platforms to block iCloud aliases, compounding user risk. This delay raises questions about Apple’s prioritization of privacy features amid growing scrutiny over data protection.

The core issue underscores a broader trust gap. Murphy proposed suspending new alias creation as an interim measure, but Apple ignored the suggestion. Without immediate action, users face heightened risks of identity theft or spam. The flaw highlights vulnerabilities in privacy tools marketed as secure, particularly when companies delay responses to known exploits. For those using Hide My Email, the lesson is clear: digital safety cannot rely solely on promises from tech giants without rigorous oversight.