By John Gruber
Day One — The journal you actually keep. Start with a chat, end with a journal entry. ⭐ 4.8 (400k)
Joseph Cox, reporting for 404 Media:
404 Media is not revealing the exact details of the vulnerability because it can still be exploited as of Monday, when 404 Media verified the issue with one of our own hidden email addresses.
“Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” Tyler Murphy, the co-founder of EasyOptOuts, which discovered and reported the issue to Apple, told 404 Media. [...]
To test the issue I generated a new Hide My Email address and provided it to Murphy. Around five minutes later, he replied with my real email address linked to my Apple account which was supposed to be hidden.
“We don’t know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” Murphy said.
Not good. Especially the “We reported the issue and replication instructions to Apple over a year ago” part. (Is this possibly related to the WWDC news that Apple is merging the domain names used for Sign In With Apple and Hide My Email? I can’t see why, but who knows?)
★ Wednesday, 1 July 2026