Apple's 'Hide My Email' Vulnerability Exposes User Email Addresses

Apple's 'Hide My Email' Vulnerability Exposes User Email Addresses

First seen 1 Jul 2026, 15:46 UTC News.YcombinatorTechcrunchFeeds2.FeedburnerFeeds.4SysopsFeeds.Feedburner+8 87% similarity 69.0
Share:

Article Content

Browse articles
ThreatCluster

A significant vulnerability in Apple's 'Hide My Email' feature allows attackers to uncover users' real email addresses behind generated aliases. Discovered by Tyler Murphy of EasyOptOuts, the flaw was reported to Apple in June 2025 but remains unpatched as of July 2026. Independent testing confirmed that 100% of tested aliases were exploitable, raising serious privacy concerns for users relying on this feature. Apple acknowledged the issue and claimed to have addressed it in March 2026, but subsequent tests revealed that the vulnerability persists. Additionally, Apple plans to change the domain of these aliases from @icloud.com to @private.icloud.com, which may further hinder the feature's effectiveness. Users are advised to consider alternative privacy options while Apple investigates the issue.

Key Points: • A vulnerability in Apple's 'Hide My Email' feature exposes real email addresses. • The flaw was reported over a year ago but remains unpatched as of July 2026. • Apple plans to change the alias domain, potentially making the feature less effective.

ThreatCluster AI

Timeline

2025-06-01
Vulnerability reported to Apple
Tyler Murphy reported the flaw in 'Hide My Email' to Apple, providing replication instructions.
Mashable
2026-03-01
Apple claims to have addressed the issue
Apple announced that it had patched the vulnerability in a system update, but tests showed it still existed.
Macrumors
2026-05-01
Ongoing investigation confirmed
Apple informed Murphy that the investigation into the vulnerability was still ongoing.
Lifehacker
2026-06-16
Apple announces domain change
Apple plans to change the domain of 'Hide My Email' addresses to @private.icloud.com, affecting usability.
Techcrunch
2026-07-01
Public disclosure of vulnerability
The ongoing vulnerability in 'Hide My Email' is publicly disclosed, revealing the risk to users.
Cybersecuritynews

Community

Browse all →