Apple ‘Hide My Email’ Has a Flaw That Can Expose Your Real Address

Researcher Tyler Murphy reversed 100% of tested aliases to real addresses in minutes, with Apple yet to deploy a fix

Alex Barrientos Avatar
Alex Barrientos Avatar

By

Image: Gadget Review

Key Takeaways

Key Takeaways

  • Researcher Tyler Murphy reversed 100% of tested Hide My Email aliases to real addresses in five minutes.
  • Apple acknowledged the flaw in March 2026 yet confirmed it still unresolved by late May.
  • Apple’s shift to private.icloud.com domain lets websites detect and block Hide My Email users at signup.

Hide My Email has a simple premise. You sign up for a sketchy newsletter or a dating app, Apple generates a random relay address, and your real email stays invisible. Think of it as a privacy bouncer standing between your inbox and the internet. According to 404 Media, though, this bouncer has been quietly letting everyone through the back door — and Apple has known about it for over a year.

Security researcher Tyler Murphy, co-founder of EasyOptOuts, discovered that anyone holding a Hide My Email address can reverse-engineer the real Apple-linked email behind it. When 404 Media tested the claim, they generated a fresh alias and handed it to Murphy. He returned the journalist’s actual email in roughly five minutes. In limited volunteer testing, Murphy found that 100% of aliases tried were exploitable.

More than a year after the flaw was first reported, Apple still has no public fix in place. The timeline unfolded as follows:

  • Murphy flagged the issue around June 2025.
  • Apple claimed in March 2026 it had “addressed the reported issue in a recent system change.” Murphy checked — still broken.
  • Apple said in May it was “still investigating” and asked Murphy not to disclose.
  • By late May, Apple promised a fix “in the coming weeks.” Murphy went public anyway, telling 404 Media that “Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.”

Apple has not issued a public statement on the vulnerability.

Apple’s Coming Domain Change May Create a New Problem

Moving aliases to a dedicated domain could let websites block privacy-minded users at the door.

Separate from the vulnerability, Apple is planning a change that privacy advocates find troubling in its own right. Per TechCrunch, all new Hide My Email addresses will shift from the generic icloud.com domain to private.icloud.com — essentially stamping a visible label on every alias. Websites and apps will be able to detect and block these addresses at signup, treating privacy-conscious users as a distinct, easily filtered category.

Users relying on Hide My Email for high-stakes privacy needs — escaping harassment, whistleblowing, activism — should note that their protection ultimately depends on tools outside Apple’s control. Apple has already demonstrated it can unmask relay addresses: in a criminal investigation, the company provided the FBI with the real identity behind a Hide My Email alias when compelled by legal process, according to court records discussed on Privacy Guides. Free people-search sites can link an exposed email to a name, address, and more within seconds.

The honest read is this: Hide My Email works well as a spam filter. For anything higher-stakes, independent email providers with no link to your Apple ID offer stronger guarantees. That gap between Apple’s privacy marketing and its technical reality is worth keeping in mind the next time a signup form offers to hide your email for you.

Share this

At Gadget Review, our guides, reviews, and news are driven by thorough human expertise and use our Trust Rating system and the True Score. AI assists in refining our editorial process, ensuring that every article is engaging, clear and succinct. See how we write our content here →