Apple Has Known About a Hide My Email Vulnerability for Over a Year ⇥ easyoptouts.com
Tyler Murphy and Ben, co-founders of EasyOptOuts:
We’ve discovered vulnerabilities in Hide My Email that allow attackers to discover the meant-to-be-hidden address behind a Hide My Email address. We reported the issue to Apple over a year ago, and as of June 30, 2026, it still hasn’t been fixed. About a month ago, we realized that the vulnerabilities’ severity and scope are greater than we initially thought. […]
Apple replied — twice — that it had fixed these vulnerabilities, but Joseph Cox of 404 Media was able to reproduce the problem as recently as earlier this week. Very few details are available right now. I have seen speculation that the original email address is revealed when someone replies using their hidden email address, but the impression I get from Cox’s reporting is that no user interaction is necessary:
To test the issue I generated a new Hide My Email address and provided it to Murphy. Around five minutes later, he replied with my real email address linked to my Apple account which was supposed to be hidden.
I am also unclear about how, as of May, the EasyOptOuts guys found the “vulnerability may have greater severity and scope” than initially reported. Ominous, though.
Also, it is pretty shameful Apple has known about this for a year and has not actually fixed it. This seems to be a common occurrence when reporting bugs of any kind. There are plenty of times I have received responses to years-old bug reports claiming a fix was delivered recently, despite the issue still being easily reproducible. And those are little things; this is a bug that, if you believe this EasyOptOuts write-up and Cox’s reporting, fundamentally undermines a privacy feature that costs money.