5 min read By Excello Mail Team

Apple's Hide My Email Has Been Broken for a Year: What Address Privacy Failures Teach Us About Domain Security

A researcher reported to Apple in June 2025 that its Hide My Email relay addresses can be reversed to reveal a user's real inbox. More than a year later, the bug is still live, and tests found it worked on 100% of addresses tried. Here is why hiding an address was never a substitute for authenticating a domain.

Apple’s Hide My Email is one of the more quietly popular privacy features in iCloud+. Type your Apple ID into a sign-up form, tap Hide My Email instead, and Apple generates a random alias, something like [email protected], that forwards to your real inbox without ever revealing it to the site you are registering with. Millions of people use it precisely so that a breach at some forum or retailer does not hand attackers their actual email address.

According to reporting from 404 Media, that promise has not held up. Security researcher Tyler Murphy, co-founder of the email privacy firm EasyOptOuts, reported to Apple in June 2025 that Hide My Email addresses could be reversed to expose the real address behind them. In tests run with volunteers, the technique worked on 100% of the addresses tried, and 404 Media confirmed it against one of its own aliases in a matter of minutes. More than a year after the initial report, and after several rounds of Apple claiming the issue was “addressed in a recent system change” only for Murphy to find it was not, the flaw was reportedly still exploitable as of this week. 404 Media withheld the exact technical mechanism to avoid handing out a working exploit while it remains live.

The Feature Worked Exactly as Advertised, Until It Didn’t

Hide My Email was never designed to authenticate anything. It was designed to obscure one specific fact: which real inbox sits behind a given alias. That is a narrow, useful promise, and for most of the feature’s life it appears to have held. What this disclosure shows is how much can ride on that one narrow promise once it breaks. A relay address that quietly reverses back to your personal or work email does not just leak an address. It removes the layer that was standing between an anonymous sign-up and a target list an attacker can use for spear phishing, credential stuffing, or a business email compromise attempt built specifically around knowing whose inbox to aim at.

That distinction matters more than it sounds. Anyone relying on Hide My Email, or a similar alias service, for anonymity was trusting an obfuscation layer, not an authentication layer. Obfuscation can fail silently. A real address exposed through a reversed alias looks identical, from the recipient’s side, to a real address obtained any other way. Nothing about the failure is visible to the person it happens to, which is exactly why it took over a year and outside reporting pressure to get traction on a fix.

Why This Is a Domain Security Story, Not Just a Privacy Story

Once an attacker has a verified real address, and knows the domain that address belongs to, whether it is a personal Gmail or a corporate account tied to a company domain, the next move is predictable. They send mail that looks like it comes from a colleague, a bank, or the company itself, aimed at that exact address. Whether that mail lands as a convincing spoof or bounces as an obvious fake depends entirely on something Hide My Email was never built to touch: whether the domain being impersonated has DMARC enforcement in place.

This is the pattern worth internalizing. Address privacy tools reduce how often your address ends up on a target list in the first place. Domain authentication determines what happens once it does. Both matter, and neither substitutes for the other. A company that has never had an email leaked can still be spoofed by anyone who guesses its domain from a business card, and a person whose Hide My Email alias just got reversed is only as protected as the DMARC policy on whatever domain the attacker now tries to impersonate to reach them.

What Actually Changes for Domain Owners

Nothing about this specific bug is something a DMARC record fixes. It lives entirely on Apple’s side, in how iCloud+ generates and resolves relay addresses, and the only real mitigation right now is being cautious about assuming a Hide My Email alias is unlinkable while it remains unpatched. But the incident is a useful prompt to check the other half of the equation. If your organization’s domain does not enforce DMARC at p=reject or p=quarantine, every real address that leaks anywhere, through this bug, through a data broker, through a breached vendor, becomes an address someone can spoof your domain to reach, with no protocol standing in the way.

Address exposure incidents are going to keep happening. Alias services get reversed, breaches get disclosed months after the fact, data brokers keep operating. The only piece of that chain a domain owner actually controls is whether mail claiming to come from their domain, once an attacker has a target to send it to, gets rejected before it reaches an inbox.

The Takeaway

A privacy feature that worked for years failed quietly, and it took a security researcher, more than a dozen months, and outside media pressure to get Apple to take it seriously. That is a reminder that any layer built on obscuring an address rather than authenticating a domain is a layer that can fail without anyone noticing until it is reported. Hiding your address is a good habit. It is not a defense. The defense is making sure that whatever domain someone tries to spoof once they find that address, yours or your company’s, is one that DMARC actually protects.


You cannot control every way your address might leak. You can control whether your domain can be spoofed once it does. Sign up for free to Excello Mail and put DMARC enforcement and continuous reporting on your domain, so a leaked address never turns into a successful impersonation.