Apple’s ‘Hide My Email’ feature, designed to protect users’ privacy by generating random email aliases, has been found to have a significant vulnerability. This flaw allows attackers to uncover the real email addresses associated with these aliases, effectively compromising the very privacy the feature aims to provide.
Security researcher Tyler Murphy, co-founder of EasyOptOuts, discovered this issue in June 2025 and promptly reported it to Apple. Despite acknowledging the report and indicating an investigation, Apple has yet to implement a fix. Murphy’s tests revealed that 100% of the generated aliases could be exploited to reveal the user’s actual email address.
In March 2026, Apple informed Murphy that the issue had been resolved. However, subsequent tests demonstrated that the vulnerability persisted. Apple then requested additional time to address the problem, but as of July 2026, the flaw remains unpatched. Consequently, Murphy decided to disclose the vulnerability publicly to inform users of the potential risk.
Apple’s ‘Hide My Email’ is a feature available to iCloud+ subscribers, allowing users to create unique, random email addresses that forward messages to their personal inboxes. This functionality is intended to keep personal email addresses private when signing up for services or newsletters. The discovery of this vulnerability raises concerns about the effectiveness of Apple’s privacy measures and the company’s responsiveness to security issues.
Given Apple’s strong emphasis on user privacy as a cornerstone of its brand, the prolonged existence of this flaw is particularly troubling. Users who rely on ‘Hide My Email’ for anonymity should be aware of this issue and consider alternative methods to protect their email addresses until a fix is implemented.
This incident underscores the importance of prompt and transparent responses to security vulnerabilities, especially for companies that position themselves as leaders in user privacy. It also highlights the need for users to stay informed about potential risks associated with the tools they use to safeguard their personal information.