This technical brief discloses a vulnerability in Apple Inc.’s Hide My Email feature, originally designed to protect user privacy. The flaw can leak users’ real email addresses; it has existed for over a year, and while Apple previously acknowledged this issue, it has yet to be fully fixed to date.
Apple’s Hide My Email feature is only available to iCloud+ subscribers. When users register for websites or online services, they can generate a random email address with an iCloud suffix; all emails received by this generated address are automatically forwarded to the user’s actual primary inbox, which hides the user’s real email address to protect their privacy.
Hide My Email, launched by Apple, is an exclusive privacy tool only available to iCloud+ users. It can reduce spam emails and also block advertisers and data agencies from tracking users across websites.
The security vulnerability of this tool was reported in June 2025 by Tyler Murphy, co-founder of EasyOptOuts, an internet personal information deletion service. Murphy also simultaneously published the detailed steps to reproduce the vulnerability.
According to Murphy, attackers with basic technical skills can reverse engineer Hide My Email addresses. That process can reveal the real email address linked to an anonymous alias.
Read More: Apple will hide your Email address from Apps and Websites, but Authorities Still Have Access
Murphy said his team tested the issue with several volunteers. Every Hide My Email address they examined could be traced back to the original email account. He warned that public people-search websites make the situation even more serious. Once someone discovers a real email address, they may also uncover other personal details connected to that account.
Independent testing by 404 Media reached the same conclusion. The publication created a new Hide My Email address and shared it with Murphy for testing. Within minutes, he successfully identified the real email address behind the alias.
The researchers also tested several volunteer accounts. In every case, the attack worked. None of the generated email aliases resisted the technique.
Apple’s response has raised additional concerns.
About a month after receiving Murphy’s report, the company confirmed that it was investigating the issue. Months later, in March 2026, Apple informed Murphy that recent system changes had fixed the vulnerability.
Murphy immediately tested the update. The flaw was still there.
He reported his findings again in May 2026. Apple replied that the investigation was still ongoing. The company also asked Murphy not to disclose the issue publicly while it continued its review.
Murphy suggested a temporary solution. He recommended that Apple stop creating new Hide My Email addresses until a permanent fix were available. There is no evidence that Apple adopted this recommendation.
Apple previously pledged to roll out a security vulnerability fix update for its privacy feature, Hide My Email, within several weeks. On June 30, 2026, Murphy confirmed with third-party media outlet 404 Media that the vulnerability remained active.
As of the time of publication, Apple has not issued any public response. This delayed remediation of the issue is continuously eroding the trust of users who rely on the service.
Read More: Email Hacked? Here’s What to Do And How to Protect Yourself Going Forward
The timing is also important.
Apple recently announced changes to Hide My Email. In June 2026, the company revealed plans to move both Hide My Email and Sign in with Apple relay addresses to the @private.icloud.com domain.
While the update aims to simplify Apple’s email relay system, privacy experts believe it may introduce another challenge. Websites could potentially recognize these addresses more easily. Some services may even choose to block them. If that happens, users who rely on anonymous email aliases could lose another layer of privacy.
For now, security researchers recommend staying informed and watching for future Apple updates. Until a permanent fix arrives, users should remember that Hide My Email may not provide the level of protection they expected.





