Apple’s Hide My Email Vulnerability: A Privacy Concern?

Apple’s Hide My Email feature, designed to protect users’ real email addresses by generating random aliases, has been found to have a vulnerability that allows the discovery of the underlying genuine email address. This issue, identified over a year ago, remains unaddressed by Apple.

Introduced in iOS 15, Hide My Email enables users to create unique, random email addresses for use with apps and websites, forwarding communications to their actual inboxes. This approach aims to shield users from spam and unwanted tracking. However, security researcher Tyler Murphy discovered in June 2025 that it’s possible to trace these alias addresses back to the user’s real email. Despite reporting this to Apple, the flaw persists.

In March 2026, Apple claimed to have addressed the issue through a system change. Yet, subsequent testing indicated that the vulnerability still exists. Apple later informed Murphy that a future security update would resolve the problem, but no such fix has been implemented to date.

Recently, a class-action lawsuit was filed against Apple, alleging false advertising and breach of contract related to Hide My Email. The plaintiff argues that Apple sold a privacy feature it couldn’t fully provide. Notably, the lawsuit doesn’t cite any specific instances where the vulnerability was exploited to harm users.

While the ability to uncover a user’s real email address through Hide My Email is concerning, it’s important to consider the practical implications. The feature primarily serves to reduce spam and unwanted communications. For most users, the risk of someone actively seeking out their real email address is minimal. However, the unresolved nature of this flaw raises questions about Apple’s commitment to user privacy and the effectiveness of its security measures.