A significant vulnerability has been identified in Apple’s ‘Hide My Email’ service, potentially allowing unauthorized parties to uncover users’ actual email addresses. This flaw, first reported over a year ago, remains unaddressed, raising concerns about user privacy.
‘Hide My Email’ is a feature of Apple’s iCloud+ subscription, enabling users to create random email aliases that forward messages to their personal inboxes. This service is designed to protect users’ real email addresses from spam and unwanted tracking.
Tyler Murphy, co-founder of EasyOptOuts, discovered the issue in June 2025 and promptly reported it to Apple, providing detailed replication instructions. Apple acknowledged the report in July 2025 and indicated an ongoing investigation. However, as of July 2026, the vulnerability persists.
In March 2026, Apple informed Murphy that a recent system change had addressed the issue. Upon further testing, Murphy found that the flaw remained exploitable and provided additional information to Apple. The company responded that the investigation was still underway.
By May 2026, Apple requested Murphy to withhold public disclosure until the investigation concluded. Murphy suggested suspending the creation of new ‘Hide My Email’ addresses to mitigate user risk, but there is no evidence that this measure was implemented. Apple projected a security update to resolve the issue in the coming weeks.
The persistence of this vulnerability is particularly concerning given the availability of public people-search databases that can link email addresses to personal information. Users relying on ‘Hide My Email’ for privacy may be more exposed than they realize.
Additionally, Apple’s recent decision to transition ‘Hide My Email’ to a dedicated ‘private.icloud.com’ domain has unintended consequences. This change simplifies the process for platforms to block iCloud aliases, potentially undermining the service’s effectiveness.
Apple’s ‘Hide My Email’ service, introduced with iOS 15 and macOS Monterey, was intended to enhance user privacy by concealing real email addresses. The ongoing vulnerability and the company’s delayed response highlight the challenges in maintaining robust privacy features. Users should remain vigilant and consider alternative measures to protect their personal information until a definitive fix is implemented.