iOS 26

iPhone

iPad

Apple Watch

AirPods

Apple Deals

Apple’s Privacy Feature Meant to Keep Your Email Secret Has Been Exposing Real Addresses for Over a Year

Gotechtor select and review products independently. When you purchase through our links, we may earn a commission. See our ethics statement.

A security flaw in Apple’s Hide My Email service can expose users’ real email addresses to outside parties, and Apple has not deployed a fix despite being notified about the problem more than a year ago.

Tyler Murphy, co-founder of the data removal service EasyOptOuts, discovered the vulnerability and reported it to Apple in June 2025, along with step-by-step instructions to reproduce it. Apple acknowledged receipt a month later.

In tests Murphy conducted with volunteers, every single Hide My Email address evaluated turned out to be exploitable. That’s a 100% rate across all addresses tested.

What Users Thought They Had

Hide My Email is part of Apple’s iCloud+ subscription. When signing up for a website or app, users can generate a random alias address that forwards to their real inbox.

The idea is that their actual email address stays out of third-party databases, reducing exposure to spam, data breaches, and identity tracking.

People who rely on it for personal safety, such as those avoiding contact with specific individuals, have an elevated stake in it working as described.

According to Murphy, the flaw makes it possible for outside parties to reverse an alias address and identify the real account behind it.

Free people-search websites can then connect that email address to a person’s name, location, and other personal details. Murphy stated publicly, “Hide My Email is leaking email addresses that are supposed to be hidden.

Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk.”

Apple’s Response Over Thirteen Months

In March 2026, Apple told Murphy it had resolved the issue through a system change. Murphy tested that claim and found the vulnerability still worked.

He submitted additional documentation, and Apple responded that it was continuing to investigate. Two months later, in May, Apple again said the issue was under review and asked Murphy to hold off on going public until the investigation concluded.

Murphy suggested Apple temporarily pause the creation of new Hide My Email addresses to reduce risk for current users while a full fix was developed. There is no indication Apple acted on that proposal.

By the end of May, Apple told Murphy a security update addressing the flaw was expected within a few weeks. As of this writing, the vulnerability remains open.

The publication 404 Media, which independently verified the flaw using one of its own Hide My Email addresses this week, chose not to publish technical details because the issue is still exploitable.

A Separate Problem Already Emerged This Year

This is not the first complication for Hide My Email in 2026. In June, it emerged that Apple’s decision to move the service to a dedicated private.icloud.com domain made it easier for websites and platforms to detect and block iCloud alias addresses outright.

Users attempting to register on services using a Hide My Email address may find those addresses rejected before the privacy protection even has a chance to function.

For anyone paying for iCloud+ partly because of Hide My Email, both developments raise questions about the current reliability of the feature.

iCloud+ plans start at $0.99 per month for 50GB and go up to $9.99 per month for 2TB, with Hide My Email available across all paid tiers.

🍎 The only 5 Apple stories that matter — sent every Friday to 50K+ smart readers. You in?

Founder & Editor-in-Chief

Herby has a healthy obsession with all things Apple, especially the iPhone. He loves to rip things apart to see how they work. He is responsible for the editorial direction, strategy, and growth of Gotechtor.

Herby Jasmin

's latest stories

Leave a Comment

Be kind. Discriminatory language, personal attacks, promotion, and spam will be removed. Please read Gotechtor's Community Guidelines before participating.