Apple’s ‘Hide My Email’ Vulnerability Exposes Real Addresses

Apple’s ‘Hide My Email’ feature, designed to protect users’ real email addresses by generating anonymous aliases, has been found to contain a vulnerability that allows attackers to uncover the actual email addresses behind these aliases. This issue was first identified over a year ago and remains unaddressed.

Introduced as part of Apple’s iCloud+ subscription, ‘Hide My Email’ enables users to create unique, random email addresses that forward messages to their personal inboxes, thereby safeguarding their primary email from unwanted exposure. However, security researcher Tyler Murphy, co-founder of EasyOptOuts, discovered a flaw in June 2025 that compromises this protective measure. He reported the issue to Apple, providing detailed replication instructions, but the vulnerability persists to this day.

Murphy’s tests revealed that 100% of the ‘Hide My Email’ addresses examined were exploitable, meaning that attackers could consistently determine the real email addresses associated with the aliases. This flaw poses significant privacy risks, as it undermines the very purpose of the feature by exposing users’ personal information.

Despite acknowledging the report and stating in March 2026 that they had “addressed the reported issue in a recent system change,” Apple has yet to implement a fix that effectively resolves the vulnerability. The continued existence of this flaw raises concerns about the company’s commitment to user privacy and the efficacy of its security measures.

For users relying on ‘Hide My Email’ to maintain their anonymity, this unresolved issue serves as a cautionary reminder of the potential limitations of digital privacy tools. It underscores the importance of staying informed about the security of the services we use and advocating for prompt and transparent responses from tech companies when vulnerabilities are discovered.