Apple’s ‘Hide My Email’ feature, designed to protect users’ personal email addresses by generating unique, random aliases, has been found to have a significant vulnerability. This flaw allows attackers to uncover the real email addresses behind these aliases, undermining the privacy the feature is meant to provide.
The vulnerability was first discovered by security researcher Tyler Murphy, co-founder of EasyOptOuts, who reported it to Apple in June 2025. Despite acknowledging the report and stating that the issue was under investigation, Apple has yet to implement a fix. In March 2026, Apple claimed to have addressed the problem through a system change, but subsequent tests confirmed that the vulnerability persisted.
Murphy’s tests, along with independent verification by 404 Media, demonstrated that 100% of ‘Hide My Email’ addresses tested were exploitable. The technical specifics of the vulnerability have not been disclosed to prevent further exploitation, but the ease with which real email addresses can be uncovered raises serious privacy concerns.
Adding to the concern, Apple plans to unify ‘Hide My Email’ and ‘Sign in with Apple’ email addresses under a new subdomain, @private.icloud.com. This change, set to take effect later this summer, could make it easier for services to block these privacy-focused aliases, potentially rendering them less effective.
Apple’s ‘Hide My Email’ feature is part of the iCloud+ subscription service, introduced to help users maintain their privacy by concealing their real email addresses when signing up for apps and websites. The feature generates unique, random email addresses that forward messages to the user’s personal inbox, allowing users to read and respond to emails without revealing their actual email address.
The persistence of this vulnerability, despite being reported over a year ago, raises questions about Apple’s commitment to user privacy and the effectiveness of its security response processes. Users who rely on ‘Hide My Email’ for privacy should be aware of this issue and consider alternative methods to protect their personal information until a fix is implemented.