100% of Hide My Email addresses were exploitable: Apples security feature can be duped into supplying the real contact info and the bug has remained unpatched for over a year
Date:
Thu, 02 Jul 2026 13:57:57 +0000
Description:
The bug was reported to Apple over a year ago, but still nothing has been done.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Apple Hide My Email can reveal
a user's authentic email address The bug puts users at risk of
identification, experts warned It has been unpatched for over a year A bug in Apple s Hide My Email feature allows for those with knowledge of the vulnerability to identify the real email address hidden behind the anonymous email address.
The bug was discovered by EasyOptOuts co-founder, Tyler Murphy, who shared
the exploit with 404 Media after notifying Apple multiple times that the feature could be actively exploited. We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been
fixed, but we don't feel comfortable waiting any longer, Murphy said. Latest Videos From Watch full video here: Hide My Email can be actively exploited As the bug still hasnt been patched, the details of how the exploit works have not been shared.
Apples Hide My Email feature was designed to anonymize email addresses, helping to prevent a users real email address from being leaked in a data breach, or to prevent a users email address from being linked to them personally in a way that could reveal their identity. You may like Apple
users told to watch out for 'unpatchable' iPhone security issues Apple has fixed a security flaw in Beats Studio Buds which let hackers spy on conversations Hackers abuse Apple account notifications to distribute malware
There lies the crux of the issue. By being able to identify the real email address by exploiting the bug, a malicious actor could uncover the real identity of the anonymized email.
Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk, Murphy said. We don't know the full scope of the
issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable. Are you a pro? Subscribe to our newsletter Sign
up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Users concerned about being identified via people-search sites can use a data removal service to have their data scrubbed from these sites, but the process can take a few days.
The issue was first reported to Apply by Murphy in June 2025, with Apple replying a month later that it was looking into the cause of the issue. Earlier this year, in March, Apple said that it had addressed the reported issue in a recent system change, but Murphy found that the bug could still be exploited.
Again, Murphy notified Apple, who replied in May 2026, stating, We are still investigating this issue. To avoid placing our customers at risk, we would appreciate you not disclosing this information until our investigation is complete. We appreciate your assistance in helping us to maintain and improve the security of our products."
Later in the same month, Apply said a fix was expected in the coming weeks." Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/100-percent-of-hide-my-email-addresses- were-exploitable-apples-security-feature-can-be-duped-into-supplying-the-real- contact-info-and-the-bug-has-remained-unpatched-for-over-a-year
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)