A privacy feature that stopped delivering privacy
Hide My Email is one of the quiet pillars of Apple's privacy pitch. Part of the iCloud+ subscription, it generates disposable relay addresses that forward to a user's real inbox, letting people sign up for services without handing over their true email. The entire value of the feature rests on one guarantee: that the relay alias cannot be traced back to the real address. A researcher's disclosure now calls that guarantee into question, describing a flaw that lets almost anyone resolve an anonymized alias back to the real inbox behind it. When the core promise breaks, the feature becomes worse than useless, because users act on trust it no longer earns.
We want to be clear about why this class of flaw is more serious than a typical bug. Hide My Email is not a convenience feature; it is a security control that people deploy deliberately to create a boundary between their identity and the services they use. When a control like that fails silently, users keep relying on it precisely because they believe it is protecting them. The gap between perceived and actual protection is where real harm accumulates, and a deanonymization flaw in an anonymization feature is the most direct possible violation of the thing users were paying for.
A year of silence after responsible disclosure
The timeline is the part that should trouble security leaders most. Researcher Tyler Murphy, co-founder of EasyOptOuts, reported the issue to Apple in June 2025, and he did so responsibly, including replication steps so the vendor could reproduce and fix it. More than a year later, 404 Media independently verified that the flaw still worked. That is not a case of a report lost in the intake queue for a week. It is a documented, reproducible privacy failure that survived a full year of vendor awareness without a fix reaching users.
For a company that markets privacy as a core differentiator, a year of inaction on a deanonymization flaw sits uncomfortably against the brand. We do not raise this to pile on Apple specifically, but because it illustrates a pattern every large organization should examine in its own vulnerability handling. Responsible disclosure is a two-way commitment. When researchers do the hard work of finding and reporting flaws with replication steps, a slow or silent response erodes the trust that makes coordinated disclosure function at all, and it leaves users exposed for the duration of that silence.
One hundred percent exploitable in testing
The severity is captured in a single figure. As Tyler Murphy, Researcher and co-founder of EasyOptOuts, put it: "We don't know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable." A 100 percent hit rate, even across a limited sample, tells us this is not a fragile edge case that requires unusual conditions. Within the tested set, every single alias could be resolved back to a real address. That consistency suggests a systemic weakness in how the feature works rather than a rare misconfiguration affecting a handful of accounts.
Murphy is appropriately careful to note that the full scope is unknown, and that caveat matters. A perfect exploitation rate in a small volunteer group does not automatically generalize to every Hide My Email user everywhere. But from a risk posture, we advise planning for the worst plausible case rather than the most comforting one. When a control shows a 100 percent failure rate in controlled testing, the prudent assumption is that any given alias may be resolvable, and users should behave accordingly until the vendor demonstrably closes the gap.
The downstream risks of deanonymization
A resolvable relay alias is not an abstract privacy concern; it feeds concrete attack chains. The flaw undermines the anonymity boundary users depend on, and that raises the risk of targeted phishing, spam correlation, and outright deanonymization. If an attacker can link an alias back to a real inbox, they can correlate activity across the services where that alias was used, building a profile the user believed was compartmentalized. That profile is exactly the raw material for convincing, personalized phishing, because the attacker now knows both the real address and the context in which the alias was created.
Correlation is the subtler and arguably worse harm. People use Hide My Email specifically to prevent a data broker or a breached service from tying their activity together across sites. If every alias resolves to the same underlying inbox, that separation collapses, and disparate signups can be stitched back into a single identity. For high-risk individuals, journalists, activists, executives, or anyone with a reason to compartmentalize, the failure of this boundary is not an inconvenience. It can expose the very connections the feature was chosen to hide, with real consequences for safety. Worse still, aliases already leaked in prior breaches gain new value once they can be resolved, letting attackers retroactively link old dumps to live inboxes and enrich profiles they had written off as dead ends.
What leaders and users should do now
With Apple having not commented and the technical details withheld, defenders are operating without a patch or a confirmed root cause. The pragmatic response is to stop treating Hide My Email aliases as a hard anonymity guarantee and start treating them as convenient forwarding addresses that may be linkable. That is a mindset shift, not a technical one, and it is available to every user today. For genuinely sensitive compartmentalization, layered approaches that do not depend on a single vendor feature are the more resilient choice while the flaw remains open.
For organizations, there is a broader lesson in vendor dependency. If your threat model relies on a third-party privacy feature holding, this episode shows why that reliance needs a fallback. Withholding the technical details is a reasonable move to avoid arming attackers before a fix ships, so we are not calling for full disclosure here. But leaders should assume the boundary is porous, communicate that to at-risk users, and keep pressure on the vendor through the coordinated channels that exist. A control unpatched for over a year is a control you cannot yet count on, and planning around it beats hoping for it.



