CUPERTINO — Apple sells Hide My Email as a privacy feature. For more than a year, according to the researchers who found and kept testing it, it has not lived up to the name.
Tyler Murphy and Ben, co-founders of the data-removal service EasyOptOuts, reported a flaw to Apple on June 11, 2025, that lets an attacker unmask the real inbox hiding behind any Hide My Email alias, the randomized address the iCloud+ feature generates so users can sign up for accounts, newsletters or one-off purchases without exposing their actual email. In tests run with volunteers, the researchers found the exploit worked on 100 percent of the aliases they tried. To prove the point to a skeptical reporter, Murphy ran the technique on a freshly generated Hide My Email address belonging to Joseph Cox, the 404 Media journalist who would go on to write about the flaw, and recovered Cox’s real inbox within minutes.
404 Media verified the vulnerability independently this week using its own alias before publishing, and is deliberately withholding the technical mechanics of the exploit because, as of publication, it still works. That is the detail that separates this from a routine bug report: the people who found it, and the outlet that confirmed it, both say an ordinary person can still run this today.
What makes the year-long gap notable is not that Apple ignored the report. It engaged with it, repeatedly, and still did not close it. According to EasyOptOuts’ own published timeline, Apple confirmed within two days of the initial report that Hide My Email was “not intended by design to allow discovery of the hidden address,” acknowledging the underlying premise was a real bug rather than expected behavior. Murphy and Ben submitted reproduction steps on June 13, added detail on June 20, and reported a second, related vulnerability on July 9. Apple confirmed both were under review on July 14. Then, on March 3 of this year, Apple told the researchers it had addressed the issue. It had not. The researchers verified the flaw persisted on March 19, reported an escalated version of it on May 22 without receiving acknowledgment, and were told again on June 30, more than a year after the first report, that the issue was fixed. It still was not, which is why they decided to go public rather than keep waiting.
“We’re publicly disclosing the existence of the vulnerability now because we think Hide My Email users deserve to know that their email addresses may not actually be hidden,” the EasyOptOuts founders wrote, a line that reads less like a security disclosure and more like an accusation that Apple’s internal fix process cannot be trusted at face value. TechCrunch reported it had separately reached out to Apple for comment and had not received a response by the time of publication.
The practical damage is not abstract. Hide My Email exists specifically so a person can hand out an address to an app, a dating site, a customer service form or a stranger without linking that interaction back to their real identity. Once the alias is reversed, that protection collapses in the other direction too: publicly accessible people-search sites and data brokers routinely cross-reference an exposed email address against names, home addresses and phone numbers, meaning the real damage of this bug is not the leaked string of characters itself but everything a broker can attach to it afterward. For the subset of users who rely on the feature specifically because they are avoiding a stalker, an abusive ex-partner or unwanted contact, an exposed alias is not an inconvenience.
This is not the first time Apple’s privacy engineering has fallen short of its marketing. In 2022, researchers found iPhone apps continued transmitting analytics data even after users disabled the relevant privacy setting. In 2023, the MAC address randomization feature meant to stop networks from tracking a device over time was found to leak the real hardware address under certain conditions, undercutting the exact protection it was built to provide. Apple’s newest privacy push, an AI agent that will log into websites and change passwords automatically, is arriving into a track record where the company’s stated privacy guarantees and its shipped code have not always matched, and where independent verification after the fact has repeatedly turned out to matter.
The Cybersecurity and Infrastructure Security Agency has separately been urging phone users this year to stop assuming default privacy settings, on any platform, actually protect them, and to audit permissions rather than trust the label on the feature. Eastern Herald previously detailed the specific settings CISA recommends changing on both iPhone and Android, a list that assumes, as this case now complicates, that the privacy tools built into the phone are functioning as advertised in the first place. Hide My Email was precisely the kind of setting that list would have told a cautious user to rely on.
Apple has not said when, or whether, the underlying flaw will actually be closed this time, and neither 404 Media nor EasyOptOuts has set a deadline for withholding the technical details publicly. That leaves an open question neither the researchers nor Apple has answered: how many Hide My Email addresses, generated in good faith over the past thirteen months on the assumption that they were doing what Apple said they would, have already been unmasked by someone other than a journalist demonstrating a point.

