Apple Hide My Email Reportedly Exposes the Real Addresses It Is Designed to Protect

A reported flaw in Apple’s Hide My Email feature may allow someone to uncover the real email address behind an iCloud-generated alias, raising concerns for users who rely on the service for privacy and personal safety.

According to reporting from 404 Media and findings from security researcher Tyler Murphy, co-founder of EasyOptOuts, the issue has allegedly remained unresolved for more than a year after being reported to Apple. Because the vulnerability may still be exploitable, technical details have not been published.

What Is Hide My Email?

Hide My Email is included with Apple’s paid iCloud+ plans. The feature allows users to create unique, randomly generated email addresses when signing up for websites, apps, newsletters, or other online services.

Instead of giving a company your real email address, you can provide an Apple-generated alias. Messages sent to that alias are forwarded to your actual inbox, while your private address is supposed to remain hidden.

For many users, this is useful for:

  • Reducing spam
  • Separating accounts from a personal identity
  • Limiting exposure during data breaches
  • Creating disposable addresses for online services
  • Protecting privacy when dealing with unknown companies or individuals

The Reported Privacy Problem

The issue, as described by the researcher, appears to undermine the core promise of Hide My Email. In testing, a hidden iCloud alias could reportedly be used to identify the real email address connected to the Apple account behind it.

404 Media said it verified the issue using one of its own Hide My Email addresses. The researcher was reportedly able to determine the real Apple account email shortly after receiving the alias.

That creates a serious privacy concern. If someone uses Hide My Email to avoid exposing their identity, but the alias can still be connected back to their real address, the protection may be far weaker than users expect.

Why This Matters

Email addresses are often more than simple contact details. They can be tied to usernames, social media accounts, data broker profiles, password resets, leaked databases, and public records.

If a hidden Apple alias can be connected to a real address, attackers, stalkers, marketers, scammers, or data brokers could potentially use that information to build a fuller profile of a person.

This is especially concerning for people who use email aliases for sensitive reasons, including journalists, activists, abuse survivors, whistleblowers, or anyone trying to keep their personal identity separate from online accounts.

Researcher Says Apple Was Notified in 2025

According to the report, the issue was first disclosed to Apple in June 2025. Apple allegedly acknowledged the report and said it was investigating. Months later, Apple reportedly said the problem had been addressed, but the researcher found that it still worked.

Further communication followed, with Apple allegedly saying it continued to investigate and later planned to address the issue in a future security update. As of the report’s publication, however, the flaw was said to remain active.

Apple did not respond to multiple requests for comment.

What Users Should Do

Until Apple confirms a fix, users should treat Hide My Email as a useful spam-reduction tool, but not as a guaranteed anonymity feature.

Recommended precautions:

  • Avoid using Hide My Email for situations where exposure of your real address could create personal risk.
  • Use separate email accounts for highly sensitive activity.
  • Consider privacy-focused email providers that support aliases or custom domains.
  • Review where you have used Hide My Email aliases.
  • Be cautious about assuming any email alias fully protects your identity.

Bigger Privacy Lesson

Apple has built a strong privacy-focused brand, and Hide My Email is one of its most visible privacy tools. But this report is a reminder that privacy features must be continually tested, audited, and fixed quickly when weaknesses are found.

For users, the takeaway is simple: email aliases are helpful, but they are not magic. If your safety depends on keeping your real identity hidden, use multiple layers of protection instead of relying on one platform feature alone.

Post a Comment

0 Comments