PSA: Apple Hide My Email Vulnerability Can Reveal Your Real Email Address

A newly disclosed vulnerability in Apple’s Hide My Email feature can reveal the real email address behind an alias that is supposed to keep it private. According to 404 Media, security researcher Tyler Murphy reported the issue to Apple in June 2025, but it remains exploitable more than a year later. The publication independently verified the vulnerability using one of its own Hide My Email addresses.

Murphy says the flaw could expose users who rely on Hide My Email to reduce spam, separate online accounts from their personal email address, or add another layer of privacy. Apple told the researcher it is investigating the issue and plans to address it in a future security update.

iCloud

Apple Has Been Investigating the Hide My Email Flaw Since 2025

Hide My Email, included with iCloud+, generates randomized email addresses that forward messages to your primary inbox while keeping your real email address hidden from websites, apps, and other recipients. According to Murphy, the vulnerability makes it possible to discover the real email address behind one of those aliases.

Murphy told 404 Media that every Hide My Email alias tested by his team was vulnerable. Because publicly accessible people-search websites can link email addresses to other personal information, he warned that users who depend on Hide My Email for privacy or safety could be at risk.

Apple Hide My Email vulnerability

According to copies of Murphy’s correspondence with Apple shared with 404 Media, the vulnerability was first reported in June 2025. Apple acknowledged the report, later said it had addressed the issue through a system change, and continued investigating after Murphy demonstrated that the flaw still existed.

In May 2026, Apple asked Murphy not to publicly disclose the issue while its investigation continued. By the end of the month, the company said it expected to address the vulnerability in a future security update. However, 404 Media confirmed the issue remained exploitable this week.

The report also follows Apple’s recent announcement of changes to Hide My Email that have raised separate privacy concerns. Later this summer, newly generated Hide My Email and Sign in with Apple addresses will use the new @private.icloud.com domain instead of @icloud.com and @privaterelay.appleid.com. Existing aliases will continue to work without interruption.

Since the new domain is used exclusively for Apple’s email relay service, websites and apps will be able to identify Hide My Email addresses more easily. Critics argue this could make it simpler for services to block privacy aliases without affecting regular iCloud email accounts.

Hide My Email

Earlier this year, a March 2026 criminal case also demonstrated that Apple can identify the account behind a Hide My Email alias when responding to a lawful request from law enforcement. Together, the criminal case, the planned domain change, and the newly disclosed vulnerability highlight that while Hide My Email is designed to conceal your email address from websites and other recipients, it is not a guarantee of anonymity.

(via 404Media)

About the Author

Asma Hussain is an editor at iThinkDifferent, where she covers Apple news, streaming services, mobile gaming, and app reviews, with a particular focus on social media and consumer tech. She writes hands-on guides and app coverage drawn from day-to-day use across iPhone, iPad, and Mac. Outside of writing, she's interested in digital illustration, internet culture, and the small design decisions that shape how people use technology.

Leave a comment