Apple’s Hide My Email feature is designed to keep a user’s real email address from websites. Researchers say a flaw may have had the opposite effect.
Researchers at EasyOptOut, Ben and Tyler Murphy, say they found a vulnerability in Apple’s “Hide My Email” feature that can expose a user’s real email address to websites under certain conditions. Apple patched the flaw twice, but EasyOptOut found both remediations could still be circumvented.
The public disclosure caps off more than a year of exchanges between Apple and EasyOptOut, highlighting just how long those using the feature could have been exposed without knowing it. According to the researchers, publicly announcing this will enable “people to be able to account for this risk when deciding when and how to use Hide My Email.”
How does Hide My Email work?
Hide My Email is an iCloud+ feature that lets Apple users generate unique email aliases for signing up to websites and online services. Instead of sharing their real email address, users provide an alias, while Apple forwards messages sent to that alias address to their actual inbox.
The alias effectively acts as a privacy layer, allowing users to communicate online without revealing their personal contact information. The feature also allows users to reply to emails with the same anonymity.
The feature is especially beneficial for privacy-conscious individuals who don’t want websites to associate and match their real identities across other services. That level of anonymous confidence is what makes the flaw EasyOptOut discovered serious.
A bug sat unfixed for an entire year
The duo said they first disclosed the vulnerability to Apple in June 2025 and later submitted additional technical details. Apple acknowledged the reports and, over the following year, twice informed the researchers that the issues had been fixed.
According to EasyOptOut, both fixes proved incomplete, as each vulnerability could be reproduced after each patch. The firm had also warned that the issue appeared more severe than originally believed. More recently, Joseph Cox of 404 Media also independently confirmed that the flaw still existed.
The data privacy firm says it will not publish the reproduction details until Apple issues a fix for the vulnerability.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Where does this leave Apple users?
Both researchers have called on Apple to temporarily restrict the creation of new aliases using the Hide My Email feature and to notify iCloud subscribers about the issue. According to the researchers, doing so would reduce the potential attack surface while Apple works on developing a fix.
The researchers did not identify any websites that may have uncovered users’ real email addresses through the flaw. Still, anyone who has relied on Hide My Email to keep their identity separate from online services should consider that their protection may be weakened until Apple confirms the issue has been fully resolved.
For users, that doesn’t necessarily mean abandoning the feature altogether. Instead, it serves as a reminder that privacy tools are only as effective as the protections behind them. Going forward, users should be mindful that the email alias shielding their inbox may not always keep their real address out of reach.
As such, it is best not to use the feature if you’re unsure about the data-handling practices of any online service. As an alternative if you must sign up on a less trusted service, create a sock puppet email.
You may also want to read our coverage of how a data breach at Apple supplier Tata Electronics reportedly exposed confidential iPhone 18 Pro files, raising new concerns about the company’s supply chain security.