Use Apple’s ‘Hide My Email’ Feature? This could expose your real one

0
Use Apple’s ‘Hide My Email’ Feature? This could expose your real one

A security researcher is sounding the alarm about a flaw in Apple’s “Hide My Email” feature. The feature, it seems, could actually expose users’ actual email addresses.

“Hide My Email,”  available to users of Apple’s iCloud+ service, generates random email addresses for use across the web that forward any messages to users’ actual email accounts.

Tyler Murphy, co-founder of the online data removal service EasyOptOuts, told 404 Media that he first reported the issue to Apple in June 2025. Yet, despite repeated promises that the flaw would be addressed, users of Hide My Email remain vulnerable.

”Apple Hide My Email is leaking email addresses that are supposed to be hidden,” Murphy told 404 Media. “We reported the issue and replication instructions to Apple over a year ago,” Murphy said. “We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.”

Apple ‘still investigating’

Murphy said that Apple first replied roughly one month after his initial disclosure and reported that the issue was being looked into. Then, in March 2026, Apple told Murphy that the vulnerability was addressed in a recent system change.

But further testing by Murphy found that the problem remained. After alerting Apple for a second time later that month, the company once again said it was looking into the issue. Apple issued a statement to Murphy in May that said the investigation was ongoing.

“We are still investigating this issue,” Apple said. “To avoid placing our customers at risk, we would appreciate you not disclosing this information until our investigation is complete. We appreciate your assistance in helping us to maintain and improve the security of our products.”

And although Apple said at the end of May that it would address the bug in an upcoming security update, both Murphy and 404 Media confirmed that Hide My Email users are still vulnerable as of this week.

Details of the vulnerability have been kept hidden in order to protect users. Apple has not publicly responded to the issue since Murphy made the vulnerability’s existence known.

The issue is compounded by the fact that Apple, according to TechCrunch, plans in the coming weeks to alter the Hide My Email feature in a way that could reduce its privacy protections. At current, random emails created by the feature end in the @icloud.com domain. The coming change will instead use the @private.icloud.com domain, giving websites and online services the ability to block email addresses generated by the feature.


Round out your reading

Ella Rae Greene, Editor In Chief

Leave a Reply

Your email address will not be published. Required fields are marked *