Apple Hide My Email Vulnerability Exposes Real Email Addresses - MacRumorsOpen MenuShow RoundupsShow Forums menuVisit ForumsOpen Sidebar
Skip to Content

Apple Hide My Email Vulnerability Exposes Real Email Addresses

A flaw in Apple's Hide My Email service can reportedly allow almost anyone to uncover the real email address behind a generated alias, and Apple has failed to address it for more than a year since it was first reported.

General macOS Mail Feature
404 Media is withholding the technical specifics of the vulnerability because it remains exploitable, but the publication verified the issue this week using one of its own Hide My Email addresses. In tests with volunteers by the researcher who discovered the flaw, 100% of Hide My Email addresses were found to be exploitable.

Tyler Murphy, co-founder of EasyOptOuts, discovered the issue and responsibly reported it to Apple in June 2025, along with instructions to replicate it. Apple acknowledged the report a month later and said it was investigating. Murphy said:

Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.

Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk.

In March 2026, Apple told Murphy it had "addressed the reported issue in a recent system change," but Murphy found the flaw had not in fact been closed. He provided further information, and Apple replied again to say it was still investigating.

In May, Apple once more said the issue remained under investigation and asked Murphy not to disclose it publicly until the inquiry was complete. Murphy proposed that Apple suspend the creation of new Hide My Email addresses as an interim measure to limit customer risk, but there is no indication that suggestion was acted on. By the end of May, Apple said it expected to address the issue in a security update "expected in the coming weeks."

Hide My Email is an iCloud+ feature that lets users generate random alias email addresses, primarily for use when signing up to services or corresponding with third parties. It is designed to protect a user's real email address from spam, data breaches, and unwanted identification.

Murphy noted that numerous people-search databases are freely available online and can tie an email address to a person's other personal details, meaning anyone depending on Hide My Email for their safety may be more exposed than they realize. Last month, it emerged that Apple's decision to move Hide My Email to a dedicated "private.icloud.com" domain appears to have the consequence of making it easier for platforms that want to block ‌iCloud‌ aliases to do so.

Popular Stories

Apple Acquires Award Winning App Play Feature

Apple Acquires Award-Winning App 'Play'

Monday June 29, 2026 7:39 am PDT by
In February, Apple notified the European Commission that it would be acquiring certain assets from and have the right to hire certain employees from Rabbit 3 Times, the company behind the award-winning app design tool Play. The notification was published on the European Commission's website this week, following a four-month waiting period. Play was a Mac and iPhone app that allowed designers ...
American Express Gold Apple Pay Feature

American Express Announces New Apple Pay Feature

Tuesday June 30, 2026 10:27 am PDT by
American Express today announced that you can now redeem Membership Rewards points when checking out with Apple Pay on the web and in apps on the iPhone and iPad. When checking out with Apple Pay on iOS 18 or iPadOS 18 or later, tap on your eligible American Express card (Platinum, Gold, Green, and others) and select the Membership Rewards points option. You can use points to cover all or...
series 10 apple watch titanium digital crown

Report: Apple Watch Redesign Coming Next Year With New Band System

Tuesday June 30, 2026 8:45 am PDT by
A "major overhaul" of the Apple Watch's design is due to arrive next year with a new system for connecting bands, according to a known Weibo leaker. In a set of recent posts, the leaker known as "Instant Digital" linked the new claim to older rumors about an "Apple Watch X" model, which was said to introduce a fresh design and break compatibility with the existing watch band system. Citing...

Top Rated Comments

match14 Avatar
4 hours ago at 06:25 am
You’re hiding it wrong!
Score: 29 Votes (Like | Disagree)
dysamoria Avatar
4 hours ago at 06:34 am
“We don't know why it hasn't been fixed…”

It hasn’t been fixed because Apple don’t fix bugs.

There are countless text editing/entry bugs in iOS/iPadOS that appeared during iOS 18 and were never fixed to this day.

I’m also still suffering corrupt iMessage conversations on iPhone when the addressee has both iMessage on a Mac and RCS on a droid phone, mixed back & forth in a conversation (I can’t send iMessages to ONE person, only, on my iPhone, but it works on all other devices, and the same recipient CAN get iMessages from me in a shared/group conversation on my iPhone). This started in iOS 18, still not fixed. Deleting and creating a new conversation used to correct it in iOS 18 but not in iOS 26. When it fails to send from iPhone, it fails entirely SILENTLY, with no error messages.

I could list countless bugs they’ve never fixed across major OS revisions. Apple don’t care. All they want to do is push people to buy the same devices over and over, by throwing “new features” at us that show up broken and never get fixed, and subscribe to services, like this “service” being shown as broken in this article.
Score: 19 Votes (Like | Disagree)
Mr_Ed Avatar
4 hours ago at 07:06 am
This is the kind of thing that seriously undermines any claim that Apple is the “privacy” choice for consumers.
I use “Hide my Email” regularly, so learning about this is really maddening. Apple management obviously doesn’t see it as a serious issue if they allowed it to linger this long. How big of a chunk of salt are expected to bring along when we listen to their ads, like the ones running currently regarding Safari and trackers, for example?
Score: 15 Votes (Like | Disagree)
jdavid_rp Avatar
4 hours ago at 06:38 am
So a feature used to justify the walled garden of iCloud and its upselling tiers (from 200Gb to 2Tb, really no chance for an in-between?) not really private? Can we know for sure private relay is private then?
Score: 15 Votes (Like | Disagree)
pigeonguy Avatar
4 hours ago at 06:38 am
Has MacRumors reached out to Apple for comment? They have some explaining to do.
Score: 14 Votes (Like | Disagree)
gsmornot Avatar
4 hours ago at 06:31 am
Well, this is interesting. I don't use the service to hide so much as I use it to avoid spam to my actual iCloud address. Most of my communication is with my non-Apple email but with hide my, it seemed to be a good option for services I didn't want to share my regular email or to speed the login process. Hope this is fixed soon.
Score: 11 Votes (Like | Disagree)

🔗 Related Apple News & Rumors

Stay updated with the latest Apple ecosystem news and verified rumors