Apple's Hide My Email bug went unfixed for a year, EasyOptOuts says

The privacy service reported the bug in June 2025; 404 Media verified it and Apple twice said fixes had landed, according to EasyOptOuts.

By · Published

Why it matters

Apple sells Hide My Email as a privacy layer for iCloud+ users. EasyOptOuts' disclosure says that layer may fail at the point it matters most: keeping a permanent address unlinkable.

Apple's Hide My Email bug went unfixed for a year, EasyOptOuts says — The privacy service reported the bug in June 2025; 404 Media verified it and Apple twice said fixes had landed, according to EasyOptOuts.

Apple (@Apple)'s Hide My Email service can still reveal the real email address behind a supposedly private alias, according to EasyOptOuts co-founders Tyler Murphy and Ben, who said they reported the vulnerability to Apple more than a year ago and found it remained exploitable on June 30, 2026.

In a blog post published July 1, EasyOptOuts said the bugs affect Hide My Email, the iCloud+ feature Apple sells as a way for customers to generate random addresses that forward mail while keeping a permanent inbox private. 404 Media said it verified the issue with one of its own hidden email addresses on June 29 and withheld exploit details because the flaw could still be used.

The disclosure is notable because Murphy and Ben are not coming at Apple as outside critics of email privacy in the abstract. EasyOptOuts is a data-removal service built around a narrow privacy problem: getting people removed from data broker and people-search sites. On EasyOptOuts' about page, Murphy and Ben describe themselves as childhood friends who built EasyOptOuts because data broker opt-outs were too time consuming and because some rival services asked customers for more personal information than EasyOptOuts believed was necessary.

That background matters because the risk here is not just spam. EasyOptOuts argues that a real email address can be connected with other public records and people-search data, undermining the reason many users pay for iCloud+ privacy tools in the first place. Apple describes Hide My Email in support documentation as a way to create unique, random addresses so users do not have to share a real address when filling out forms or signing up for newsletters. Apple also says mail sent to those random addresses is forwarded to a personal email account and replies appear to come from the Hide My Email address.

EasyOptOuts' timeline puts the vulnerability report on June 11, 2025, when Murphy and Ben say they first reported it to Apple. Apple confirmed, according to EasyOptOuts, that Hide My Email was "not intended by design to allow discovery of the hidden address" and asked for more details. EasyOptOuts says it sent reproduction instructions on June 13, 2025, sent more information on June 20, and reported a second, similar vulnerability on July 9, 2025. Apple acknowledged on July 14, 2025 that the issues were under review, according to EasyOptOuts.

The dispute sharpened this year. EasyOptOuts says Apple told Murphy and Ben on March 3, 2026 that the vulnerabilities had been fixed and asked for verification. EasyOptOuts says it re-tested the issue on March 19 using the original reproduction steps and concluded the fix had not worked. On May 22, Murphy and Ben say they reported that the severity and scope appeared greater than they had first understood. EasyOptOuts says Apple did not acknowledge that increased-severity report. On June 30, Apple again said the vulnerabilities had been fixed and asked EasyOptOuts to verify; EasyOptOuts says it again determined the bugs were still present.

The technical details remain intentionally absent. EasyOptOuts says it will not discuss or disclose how the exploit works until Apple fixes it. That leaves users without a way to independently test whether a particular alias is vulnerable, and it leaves operators using Hide My Email for whistleblowing, safety, dating, commerce, or account separation with a simple risk calculation: a tool marketed to hide an address may not do that against a motivated party.

Apple's handling of Hide My Email was already under scrutiny before this disclosure. On June 15, Apple told developers in an Apple Developer note that new addresses for Sign in with Apple and iCloud+ Hide My Email would move later this summer to a shared private.icloud.com domain. Existing addresses on legacy domains will continue to work, Apple said, while developers and email service providers should update validation, allowlists, filtering, suppression lists, and routing rules.

That domain change is separate from the EasyOptOuts vulnerability claim, but it points to the same tension in Apple's privacy product: Hide My Email only works if counterparties accept the alias and cannot use it as a clean marker for blocking or extra review. TechCrunch reported on June 16 that moving aliases to a dedicated domain could make it easier for apps and websites to block anonymous sign-ups. Apple's developer note framed the change as unifying domains across Sign in with Apple and iCloud+ Hide My Email, not as a security response.

The open question is why Apple told EasyOptOuts twice that fixes were ready if the original reproduction steps still worked. EasyOptOuts does not publish Apple's full correspondence, and Apple has not publicly documented a fix for the vulnerabilities Murphy and Ben describe. What is clear from the timeline is that EasyOptOuts gave Apple more than a year before public disclosure and then used 404 Media as an outside verifier rather than publishing exploit mechanics.

EasyOptOuts is calling for Apple to reduce exposure before a full fix, including by disabling the creation of new Hide My Email addresses and notifying users of the risk. That is an aggressive interim ask, but it matches the nature of the product. Hide My Email is not an optional cosmetic setting; it is a paid privacy promise bundled into iCloud+. If the alias can be reversed, the failure is not only a bug in a mail relay. It is a break in the trust boundary Apple asks customers to rely on.

Reader comments

Conversation for this story loads after sign-in.