← All Stories
TechnologyJul 6, 2026·RushNews Desk

Apple Hide My Email Bug Can Expose Your Real Address

A researcher says Apple's Hide My Email leaked the addresses it is meant to hide, with 100% of test aliases traceable to real inboxes and no fix over a year later.

Apple Hide My Email Bug Can Expose Your Real Address
Photo: Cheng Xin / Getty Images

If you use Apple's Hide My Email to keep your real address private, there is news you need to hear. A security researcher says the feature has been leaking the very addresses it is meant to protect, and the problem has sat unfixed for more than a year.

What Hide My Email is supposed to do

Hide My Email is one of Apple's headline privacy tools. When you sign up for an app or a website, it creates a random address that ends in icloud.com and quietly forwards every message to your real inbox. The site never sees your true address, so if it gets breached or sells your data, your primary email stays out of reach.

That promise is the whole point of the feature. It is built into Sign in with Apple and offered to iCloud+ subscribers as a way to cut down on spam and tracking.

The flaw researchers found

Tyler Murphy, co-founder of the privacy service EasyOptOuts, discovered that the shield can be pulled aside. In his testing, 100% of the generated Hide My Email addresses could be traced back to the real address behind them. In other words, the random alias that was supposed to hide you could be turned into a pointer straight to your actual inbox.

The outlet 404 Media said it confirmed the issue using one of its own hidden addresses. Neither the researcher nor the reporters have published the exact method, because it still worked at the time the story broke and they did not want to hand attackers a ready made guide.

Why it stayed open so long

According to Murphy, he reported the bug to Apple in June of last year and the company said it was investigating. Apple later told him it had been patched in March, but he checked and found it was still exploitable. Apple then said a fix was coming in June. When that deadline passed with the hole still open, he decided the public had a right to know.

What an attacker could do with it

The risk here is not a stolen password or a drained bank account. It is the loss of the exact thing you signed up for: separation between your identity and your inbox. If someone can convert a hidden alias into your real address, they can:

  • Link accounts you meant to keep apart back to one person
  • Add your real address to spam and phishing lists
  • Cross reference you against data from past breaches
  • Undo the anonymity you relied on when signing in with Apple
  • For most people the practical danger is more spam and more tracking. For journalists, activists, or anyone who deliberately compartmentalizes their online life, the stakes are higher.

    What you can do right now

    There is no user side setting that fully closes this, since the fix has to come from Apple. Still, a few steps lower your exposure:

  • Treat any Hide My Email alias as less private than advertised for now
  • Be cautious about which sensitive services you tie to a single Apple account
  • Watch for a spike in spam, which can be a sign your real address has leaked
  • Keep your devices updated so you get Apple's patch the moment it ships
  • Apple has also said it plans to move Hide My Email onto a new shared domain, private.icloud.com, though that change is separate from this bug and drew its own criticism because companies could block the domain outright.

    The bottom line

    Privacy features are only worth using if they actually hold. Until Apple confirms a real fix, anyone leaning on Hide My Email should know the curtain has been slipping. The tool still beats handing over your raw address everywhere, but it is not the ironclad shield it was sold as.

    Sources

    404 Media
    ApplePrivacySecurityHide My EmailCybersecurityiCloud

    More Stories

    We use cookies for analytics and to show ads. Some are optional and we only load them with your consent. See our Privacy Policy.