A vulnerability in Apple's Hide My Email service has allowed the real email addresses of users to be uncovered for over a year, despite the promise of anonymity. Security researcher Tyler Murphy, who discovered the issue in June 2025, demonstrated that 100% of the generated @icloud.com addresses could be traced back to the original email. The flaw, still unpatched, raises serious questions about the reliability of Apple's privacy features.
How Hide My Email works and why the flaw is critical
Introduced in 2021, Hide My Email creates unique random email addresses for online services, shielding the user's real address. Incoming messages are forwarded to the user's primary inbox. However, Murphy's vulnerability allows anyone to link a temporary address to the real one, defeating the purpose. Reported to Apple in summer 2025, the issue remains open as of July 2026, even though Apple claimed it was resolved in March 2026.
Sponsored Protocol
Other privacy breaches: Scattered Spider and WhatsApp usernames
This week, the US Department of Justice announced the extradition of Peter Stokes, a 19-year-old suspected member of the Scattered Spider hacking group. Stokes is charged with hacking a luxury jewelry retailer and demanding an $8 million cryptocurrency ransom. Meanwhile, India has asked WhatsApp to pause its username rollout, citing fraud and cybercrime risks, and also sent letters to Signal and Telegram.
Sponsored Protocol
Automatic license plate reader errors lead to wrongful stops
An investigation by the Institute for Justice found at least 24 misidentification cases over the past eight years involving ALPR cameras. Errors include reading 'O' as '0' and failing to remove plates from wanted lists, resulting in armed stops and detentions. These incidents add to growing concerns about AI-powered camera accuracy.
Source: https://www.wired.com/story/security-roundup-apples-hide-my-email-service-fails-to-hide-your-email