A vulnerability in Apple's Hide My Email feature can allow almost anyone to discover the real email address behind a Hide My Email alias, and Apple has not fixed the flaw more than a year after a security researcher responsibly disclosed it. 404 Media independently verified the issue on Monday with one of its own addresses, while researcher Tyler Murphy said his limited tests with volunteers showed 100 percent of Hide My Email addresses were exploitable.
The problem was discovered and reported to Apple in June 2025 by Tyler Murphy, co-founder of EasyOptOuts, according to 404 Media. Apple acknowledged Murphy's disclosure the following month and said it was investigating. In March 2026, the company told Murphy it had addressed the issue in a recent system change, but he found the flaw was still present. After further correspondence, Apple asked him to keep details confidential, saying it expected a fix in a security update "expected in the coming weeks." Apple did not respond to 404 Media's multiple requests for comment.
In limited volunteer tests, Murphy said 100 percent of the Hide My Email addresses were exploitable. "Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk," he told 404 Media. The technical details remain undisclosed because the vulnerability is still exploitable.
"Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses," Murphy wrote when he went public.