Apple’s “Hide My Email” Feature Is Reportedly Revealing Your Real Email Address.

Apple’s “Hide My Email” feature is crucial to my privacy and security. Almost every time I create a new account, especially if I don’t fully trust the company that created it, I hide my real email address using “Hide My Email.” If a company turns out to be unscrupulous and decides to sell my email address, or if there’s a data breach and my data is exposed, don’t worry: they never had my real email address. At least, that’s how it should be.

The Hide My Email app has privacy and security issues.

As Joseph Cox of 404 Media reported , a vulnerability has been discovered in Hide My Email that could reveal the email addresses behind Hide My Email aliases. Details are sparse, and intentionally so: this is an active security vulnerability, and revealing too much information could lead to further dissemination of the exploit. But according to Tyler Murphy, co-founder of EasyOptOuts, “almost anyone” could exploit this vulnerability to discover the real email address behind any Hide My Email proxy.

If you’re unsure how the “Hide My Email” feature works, here’s a quick explanation: Let’s say your email address is [email protected] . When you sign up for a new site, the “Hide My Email” feature may create an “alias” for you. In this case, let’s say the feature created the alias [email protected] (they almost always look something like this). You sign up for the new site using this alias, rather than your real email address, and all emails sent to this alias automatically go to your real inbox. Functionally, it’s as if you’ve given the company your real address. But if you ever need to leave the company, you can simply delete the alias, and your real email address will remain anonymous.

You may also like

The problem is that using “free, publicly accessible people search sites,” attackers can determine your real email address based on your alias. Cox says they tested this on Murphy. They sent Murphy one of their Hide My Email aliases, and within five minutes, Murphy responded with Cox’s real email address. Although Murphy says the tests were limited, the vulnerability worked on every alias he tried. This doesn’t bode well for Hide My Email’s security.

Apple is aware of the Hide My Email vulnerability.

Moreover, Apple apparently knew about this vulnerability since June 2025. Murphy says he contacted the company about the vulnerability over a year ago. Apple responded a month later, confirming it was investigating the issue. Then, in March 2026, Apple responded, announcing that it had fixed the vulnerability.

What do you think at the moment?

Considering it’s July, this clearly wasn’t the case. Murphy contacted Apple again to inform them that Hide My Email still contained the vulnerability. Apple responded that it was reviewing the issue again and confirmed back in May that the investigation was ongoing. Apple asked Murphy to withhold information about the issue until it was fixed, to avoid exposing customers to risk. However, Murphy said he was uncomfortable allowing users to continue relying on Hide My Email without being aware of the risks.

The “Hide My Email” feature is already in a high-risk state.

This news comes just a few weeks after TechCrunch reported that Apple was making changes to the “Hide My Email” feature for the worse. According to the report, Apple plans to change the domain of aliases in “Hide My Email” from @icloud.com to @private.icloud.com. This will significantly reduce the effectiveness of the feature, as it will let everyone know you’re using an alias. Currently, aliases are indistinguishable from regular iCloud email addresses (except perhaps for weird names) because the domains are the same. By marking alias domains as “private,” both humans and bots will know it’s not your real address and can block your aliases from creating accounts.

Apple hasn’t implemented these changes yet, but Hide My Email has had a rough month. I’m not planning on completely overhauling my workflow based on these messages just yet, but I hope Apple takes appropriate action and fixes this issue as soon as possible. (And, on top of that, abandons plans to change Hide My Email’s domains.)

More…

Leave a Reply