A vulnerability in Apple’s Hide My Email feature could allow attackers to uncover the real email address behind an anonymous alias, undermining one of the company’s flagship privacy tools, according to security researchers and independent testing by 404 Media.
Hide My Email, available as part of Apple’s iCloud+ subscription, lets users generate random email aliases that forward messages to their primary inbox. The feature is designed to prevent websites, apps, and other services from learning a user’s real email address while reducing spam and protecting online privacy.
The issue was discovered by Tyler Murphy, co-founder of privacy company EasyOptOuts, who reported the vulnerability to Apple in June 2025. Murphy said Apple acknowledged the report and indicated it would be addressed, but more than a year later, the flaw remains exploitable.
To avoid putting users at greater risk, 404 Media did not publish technical details of the vulnerability. However, the outlet independently verified the findings by generating a new Hide My Email alias and providing it to Murphy, who was able to identify the real email address linked to the Apple account in approximately five minutes.
“We don’t know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” Murphy told 404 Media. He added that publicly available people-search services could make the vulnerability even more dangerous by allowing attackers to connect an exposed email address to other personal information.
According to Murphy, Apple initially informed him in March 2026 that the issue had been resolved. After retesting, however, he found the vulnerability still worked and provided Apple with additional evidence. In subsequent communications, Apple reportedly said it was continuing to investigate and expected to release a fix in a future security update. As of this week, no patch has been released.
The disclosure comes as Apple prepares another change to Hide My Email. The company plans to migrate all generated aliases to the @private.icloud.com domain, replacing the current mix of @icloud.com and @privaterelay.appleid.com addresses. Some privacy advocates have warned that websites could simply block the new domain, reducing the usefulness of the feature even if the vulnerability is eventually fixed.
For users who rely on Hide My Email to separate their identity from online accounts, the flaw could have significant privacy implications. Exposing a real email address may allow attackers to correlate accounts across multiple services, facilitate phishing campaigns, or uncover additional personal information through public databases.
Apple has not publicly disclosed technical details of the issue or announced when a fix will become available. Until the vulnerability is patched, security researchers recommend treating Hide My Email as an additional privacy layer rather than a guarantee of anonymity, particularly when protecting sensitive identities.