Apple's Year-Old Email Privacy Flaw Goes Unpatched
A vulnerability in Hide My Email has been unmasking real addresses since 2025, raising questions about Cupertino's commitment to its privacy brand.

A Privacy Tool That Doesn't Protect
Hide My Email, Apple's feature designed to shield users behind disposable proxy addresses, has a critical vulnerability that allows anyone to unmask the real email addresses it was built to conceal. Tyler Murphy, co-founder of data-removal service EasyOptOuts, discovered the flaw and reported it to Apple in early 2025. The company has yet to fix it.
Murphy's testing reveals the scope of the problem. Every attempt to exploit the vulnerability has succeeded. "We don't know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable," Murphy said. The technical details remain undisclosed to prevent widespread abuse, but the exploit works reliably enough that Murphy considers it a systematic failure rather than an edge case.
The delay is puzzling. Apple typically moves quickly on security reports through its bug bounty program, often patching vulnerabilities within weeks. A year-long silence suggests either the fix is architecturally complex or the issue fell through internal triage. Neither explanation reflects well on a company that has made privacy a cornerstone of its brand positioning.
The Stakes Beyond Spam
For users who rely on Hide My Email to escape abusive contacts, stalkers, or harassment campaigns, the bug represents more than an inconvenience. People-search databases and data broker sites can link an exposed email address to phone numbers, physical addresses, and employment history within minutes. Murphy, whose business involves scrubbing client data from these aggregators, understands the chain reaction. "Publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk," he noted.
The feature launched in 2021 as part of iCloud Plus, Apple's subscription tier that bundles privacy tools with cloud storage. It generates random addresses in the format [random-string]@icloud.com that forward mail to a user's real inbox. The service integrates with Safari AutoFill and Sign in with Apple, making it frictionless to use across websites and apps. Adoption numbers are not public, but anecdotal evidence from developer forums suggests millions of active proxy addresses exist in the wild.
Apple has not commented on the report. The company rarely acknowledges vulnerabilities before patches ship, a policy that prevents tipping off attackers but leaves users in the dark about active threats. In this case, the window of exposure has stretched long enough that silence feels less like caution and more like inertia.
A Pattern, Not an Anomaly
This is not the first time Apple's privacy features have failed to deliver on their promises. In 2022, the company faced a class-action lawsuit after researchers demonstrated that iPhone apps continued transmitting analytics data to Apple even when users explicitly disabled iPhone Analytics in Settings. The gap between the toggle's label and its actual behavior suggested either poor implementation or misleading interface design.
A year later, another privacy mechanism crumbled under scrutiny. Apple's MAC address randomization, intended to prevent Wi-Fi tracking by rotating the device identifier broadcasted to routers, was found to leak the real MAC address under common network conditions. Researchers called the feature "useless" because the randomization broke so predictably that tracking remained trivial.
These incidents share a troubling thread. Apple ships privacy tools with marketing fanfare, but the engineering rigor behind them does not always match the rhetoric. The company's brand equity rests heavily on its privacy stance, particularly in contrast to ad-driven competitors like Google and Meta. When that differentiation proves hollow, the reputational cost compounds.
What Cupertino Owes Users Now
Apple has two obligations. The first is immediate: patch the Hide My Email vulnerability and push the fix to all supported iOS, iPadOS, and macOS versions. The second is structural: audit the rest of its privacy toolkit for similar gaps. If Hide My Email failed in testing or escaped review, other features built on the same infrastructure may carry comparable flaws.
Transparency would help rebuild trust. Apple could publish a post-mortem explaining why the fix took so long and what process changes will prevent repeat delays. The company has done this before, notably after the 2014 celebrity iCloud breach, when it overhauled two-factor authentication and breach notification procedures. A similar reckoning feels overdue.
For now, users who depend on Hide My Email for safety rather than convenience should consider the feature compromised. Alternative services, Fastmail's masked email addresses or SimpleLogin, offer similar functionality with open-source codebases that allow independent security audits. None are perfect, but at least their failure modes are documented.
The broader lesson extends beyond one bug. Privacy is not a feature you can bolt onto a product and forget. It requires continuous adversarial testing, rapid response to disclosures, and a willingness to admit when systems fail. Apple has the resources and talent to do this work. Whether it has the institutional commitment remains an open question, one that a year of inaction has done little to answer favorably.


