Thu 09 Jul 2026 / 19:32 ET
Kernel
Long Reads 2 min read

Apple Hide My Email bug can expose addresses, 404 Media reports

404 Media says it verified a still-unfixed flaw that can reveal real email addresses hidden by Apple’s privacy feature.

Mara Chen-Doyle

By Mara Chen-Doyle / Staff Writer

Apple Hide My Email bug can expose addresses, 404 Media reports
img: 404 Media

A flaw in Apple’s Hide My Email feature can reveal the real address a user meant to conceal, according to reporting by Joseph Cox at 404 Media and a security researcher who reported the issue.

The problem is still exploitable, 404 Media said. The publication reported that it confirmed the vulnerability on Monday using one of its own Hide My Email addresses. It withheld the technical steps for triggering the bug, saying publication of the method would let others exploit it.

Hide My Email is Apple’s privacy tool for masking a user’s actual email address behind an Apple-generated address. The point is to let a person receive messages without handing over the underlying account. According to 404 Media’s account, the vulnerability breaks that promise: someone can use the flaw to learn the address that the feature is meant to keep out of view.

What is known

404 Media attributed the discovery to a security researcher and said Apple has not fixed the issue for more than a year. The researcher told 404 Media: “Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.”

The report does not disclose the mechanics of the vulnerability, so outside readers cannot independently judge how hard it is to exploit, whether it affects every Hide My Email user, or what conditions are required. The key reported facts are narrower and still serious: 404 Media says the bug works, the publication tested it itself, and the issue remained open at the time of its check.

That distinction matters. A privacy feature can fail in many ways, from a narrow edge case to a broad design flaw. Without the exploit details, the public version of the report does not establish the full blast radius. It does, however, say the flaw can expose the specific piece of information users adopted the feature to avoid sharing.

What Apple users can take from this

The report does not include mitigation steps from Apple or a statement from the company. It also does not say Apple has issued a patch.

For now, the confirmed claim is that Hide My Email may not reliably keep the underlying address hidden in every case, according to 404 Media’s test and the researcher who reported the bug. That is enough to make the feature’s risk model look different: users relying on it for separation between identities should treat the hidden address as potentially discoverable until Apple addresses the reported flaw.

This story draws on original reporting from 404 Media.

More Long Reads/

view all ↗