Apple Hide My Email Bug Can Expose Your Real Address
A researcher says Apple's Hide My Email leaked the addresses it is meant to hide, with 100% of test aliases traceable to real inboxes and no fix over a year later.

If you use Apple's Hide My Email to keep your real address private, there is news you need to hear. A security researcher says the feature has been leaking the very addresses it is meant to protect, and the problem has sat unfixed for more than a year.
What Hide My Email is supposed to do
Hide My Email is one of Apple's headline privacy tools. When you sign up for an app or a website, it creates a random address that ends in icloud.com and quietly forwards every message to your real inbox. The site never sees your true address, so if it gets breached or sells your data, your primary email stays out of reach.
That promise is the whole point of the feature. It is built into Sign in with Apple and offered to iCloud+ subscribers as a way to cut down on spam and tracking.
The flaw researchers found
Tyler Murphy, co-founder of the privacy service EasyOptOuts, discovered that the shield can be pulled aside. In his testing, 100% of the generated Hide My Email addresses could be traced back to the real address behind them. In other words, the random alias that was supposed to hide you could be turned into a pointer straight to your actual inbox.
The outlet 404 Media said it confirmed the issue using one of its own hidden addresses. Neither the researcher nor the reporters have published the exact method, because it still worked at the time the story broke and they did not want to hand attackers a ready made guide.
Why it stayed open so long
According to Murphy, he reported the bug to Apple in June of last year and the company said it was investigating. Apple later told him it had been patched in March, but he checked and found it was still exploitable. Apple then said a fix was coming in June. When that deadline passed with the hole still open, he decided the public had a right to know.
What an attacker could do with it
The risk here is not a stolen password or a drained bank account. It is the loss of the exact thing you signed up for: separation between your identity and your inbox. If someone can convert a hidden alias into your real address, they can:
For most people the practical danger is more spam and more tracking. For journalists, activists, or anyone who deliberately compartmentalizes their online life, the stakes are higher.
What you can do right now
There is no user side setting that fully closes this, since the fix has to come from Apple. Still, a few steps lower your exposure:
Apple has also said it plans to move Hide My Email onto a new shared domain, private.icloud.com, though that change is separate from this bug and drew its own criticism because companies could block the domain outright.
The bottom line
Privacy features are only worth using if they actually hold. Until Apple confirms a real fix, anyone leaning on Hide My Email should know the curtain has been slipping. The tool still beats handing over your raw address everywhere, but it is not the ironclad shield it was sold as.


