Particle.news

Hide My Email Flaw Lets Attackers Find Users’ Real Addresses

The flaw lets third‑party services tie Hide My Email aliases back to users’ real identities.

Overview

  • On Wednesday, security researcher Tyler Murphy and 404 Media publicly reported a year‑old vulnerability in Apple’s Hide My Email that remains exploitable despite private disclosures to Apple.
  • Murphy says he first reported replication steps to Apple in June 2025 and that Apple acknowledged and investigated the issue multiple times without delivering a confirmed effective patch.
  • 404 Media independently verified the exploit by giving a generated alias to the researcher who returned the linked real address within minutes, and Murphy reports limited tests found 100% of aliases were vulnerable.
  • Apple has told the researcher it expects a security update, and separately announced that new Hide My Email aliases will move to the private.icloud.com domain this summer which may make aliases easier for sites to detect and block.
  • If an alias is unmasked, free people‑search sites and data brokers can link that email to names and contact details, so experts urge users to treat existing Hide My Email addresses as less private and watch for Apple’s patch or interim mitigations such as pausing new alias creation.