‘100% of Hide My Email addresses were exploitable’: Apple’s security feature can be duped into supplying the real contact info — and the bug has remained unpatched for over a year
The bug still hasn't been patched
- Apple Hide My Email can reveal a user's authentic email address
- The bug puts users at risk of identification, experts warned
- It has been unpatched for over a year
A bug in Apple’s ‘Hide My Email’ feature allows for those with knowledge of the vulnerability to identify the real email address hidden behind the anonymous email address.
The bug was discovered by EasyOptOuts co-founder, Tyler Murphy, who shared the exploit with 404 Media after notifying Apple multiple times that the feature could be actively exploited.
“We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer,” Murphy said.
Hide My Email can be actively exploited
As the bug still hasn’t been patched, the details of how the exploit works have not been shared.
Apple’s Hide My Email feature was designed to anonymize email addresses, helping to prevent a user’s real email address from being leaked in a data breach, or to prevent a user’s email address from being linked to them personally in a way that could reveal their identity.
There lies the crux of the issue. By being able to identify the real email address by exploiting the bug, a malicious actor could uncover the real identity of the anonymized email.
“Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk,” Murphy said. “We don't know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable.”
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Users concerned about being identified via people-search sites can use a data removal service to have their data scrubbed from these sites, but the process can take a few days.
The issue was first reported to Apply by Murphy in June 2025, with Apple replying a month later that it was looking into the cause of the issue. Earlier this year, in March, Apple said that it had “addressed the reported issue in a recent system change,” but Murphy found that the bug could still be exploited.
Again, Murphy notified Apple, who replied in May 2026, stating, “We are still investigating this issue. To avoid placing our customers at risk, we would appreciate you not disclosing this information until our investigation is complete. We appreciate your assistance in helping us to maintain and improve the security of our products."
Later in the same month, Apply said a fix was “expected in the coming weeks."
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.
Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.
Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.