A reported vulnerability in Apple’s iCloud+ Hide My Email service allows an attacker with only a relay alias to uncover the user’s real email address, defeating a privacy feature widely used to mask identity. Researcher Tyler Murphy of EasyOptOuts said he disclosed the issue to Apple in June 2025, and multiple outlets reported that 404 Media independently verified the flaw by recovering a reporter’s actual Apple ID email from a newly created alias. Public reporting says the issue requires no account compromise, special access, or social engineering, raising risks of phishing, spam correlation, account linkage, and exposure of personal details through people-search services.
Apple reportedly acknowledged the bug in 2025 and later told Murphy that a system change had addressed it, but follow-up testing found the deanonymization still worked more than a year after disclosure. Murphy said volunteer testing showed all tested aliases were reversible, though the full scope across the user base remains unclear, and exact exploitation details were withheld while Apple continued investigating. As of the reports, Apple had not issued a public advisory or CVE, and separate coverage noted that Apple’s planned migration of masked addresses to the @private.icloud.com domain could make Hide My Email aliases easier for websites and apps to identify and block.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Apple announced that anonymously generated Hide My Email addresses will transition to the @private.icloud.com domain. The change could make such aliases easier for websites and apps to identify and potentially reject.
Multiple outlets reported that Apple's Hide My Email feature could reveal users' real email addresses behind aliases, describing the flaw as unpatched and a significant privacy risk.
404 Media independently verified that a Hide My Email alias could be used to recover the underlying real email address, confirming the issue remained exploitable more than a year after disclosure.
By the end of May 2026, Apple told Murphy it was still investigating the Hide My Email flaw and expected to address it in a security update in the coming weeks.
In March 2026, Apple told Murphy that a recent system change had fixed the Hide My Email issue. Murphy subsequently found that the vulnerability was still exploitable.
Apple acknowledged Murphy's report in July 2025 after receiving the June 2025 disclosure, according to reporting on the issue.
Tyler Murphy of EasyOptOuts responsibly disclosed a vulnerability in Apple's Hide My Email service to Apple in June 2025, reporting that an alias could be used to uncover the underlying real email address.
EasyOptOuts published a guide on June 30, 2026 describing that Apple's Hide My Email could expose users' real email addresses.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
tidbits.com
Open sourcescworld.com
Open sourcemalwarebytes.com
Open sourcetomshardware.com
Open sourcecybersecuritynews.com
Open source404media.co
Open sourcemacrumors.com
Open sourceeasyoptouts.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.