WEDNESDAY, JULY 1, 2026VOL. XXVI · NO. 17
Tech

Hide My Email Has Been Showing Your Email

Apple's privacy flagship has a hole in it. They've known for over a year.

By Chasing Seconds · JULY 1, 20262 minute read

Photo · MacRumors: Mac News and Rumors - Front Page

There's a particular kind of embarrassment reserved for the person who installs a deadbolt and then leaves the window open. Apple is currently that person.

According to reporting by 404 Media — flagged by both MacRumors and Six Colors this week — a vulnerability in Apple's Hide My Email service can allow almost anyone to trace a generated alias back to the real address it's masking. The feature exists specifically to prevent that. That's the whole product. And it has, by the account of the researcher who found the flaw, a 100% success rate — meaning every Hide My Email address tested was exploitable.

Let that number sit for a second. Not most. Not a meaningful percentage. Every single one.

The Timeline Is the Story

Tyler Murphy, co-founder of EasyOptOuts, discovered the vulnerability and reported it to Apple in June 2025, along with instructions to replicate it. Apple acknowledged the report a month later and said it was investigating. That was the last meaningful movement. 404 Media verified the issue themselves using one of their own Hide My Email addresses. They're withholding the technical specifics because the vulnerability remains active and exploitable.

So here's where we are: a privacy feature is broken, the company that sells it knows, and the fix hasn't come.

This is the part of the security cycle that the press release version of privacy never accounts for. Apple has spent years building Hide My Email into its identity — a tangible argument for why the Apple ecosystem is worth the premium, why you should trust the walled garden. The feature isn't incidental. It's infrastructure for a particular kind of trust.

When the infrastructure leaks, the marketing doesn't quietly update itself.

What Privacy Theater Costs

The cynical read is that this was always more promise than architecture — that features like Hide My Email exist to be announced, to appear in keynotes and on comparison charts, and that the operational security behind them gets less attention than the naming rights. That's probably too harsh. Features break. Vulnerabilities get found. That's not unique to Apple or to privacy tooling.

What is notable is the timeline. A year is a long time for a known flaw in a feature whose entire purpose is anonymity. Murphy did everything right — responsible disclosure, replication steps, direct report. Apple acknowledged it. And then, apparently, not much else happened.

The researcher has been patient. 404 Media has been responsible, sitting on the technical details to avoid handing a wider audience a working exploit. The vulnerability, meanwhile, has continued to work exactly as advertised — just not for the people it was supposed to protect.

There's a version of this story where the fix is weeks away and the timing of the coverage is unfortunate. Maybe. But the gap between "Apple is investigating" and "Apple fixed it" has now stretched past twelve months, which is long enough that "investigating" starts to sound like something else entirely.

The people who built their email habits around Hide My Email — who used it to sign up for services, to compartmentalize their identity online — made a reasonable bet. Apple told them the alias was the wall. It turns out the wall had a door, and apparently a fair number of people knew where to find the handle.

Privacy as a feature is only as good as the engineering behind it. The marketing can afford to be vague. The code cannot.

End — Filed from the desk