Apple’s ‘Hide My Email’ Privacy Flaw Exposes Real Email Addresses

Apple’s ‘Hide My Email’ Privacy Flaw Exposes Real Email Addresses

Apple’s ‘Hide My Email’ Privacy Flaw Exposes Real Email Addresses

Image: AndersonPiza/Envato

Researchers say Apple’s Hide My Email flaw may expose real addresses, despite two fixes. Here’s what users should know about the privacy risk.

Verfasst von
Joseph Ofonagoro
Joseph Ofonagoro
Jul 2, 2026

Apple’s Hide My Email feature is designed to keep a user’s real email address from websites. Researchers say a flaw may have had the opposite effect.

Researchers at EasyOptOut, Ben and Tyler Murphy, say they found a vulnerability in Apple’s “Hide My Email” feature that can expose a user’s real email address to websites under certain conditions. Apple patched the flaw twice, but EasyOptOut found both remediations could still be circumvented.

The public disclosure caps off more than a year of exchanges between Apple and EasyOptOut, highlighting just how long those using the feature could have been exposed without knowing it. According to the researchers, publicly announcing this will enable “people to be able to account for this risk when deciding when and how to use Hide My Email.”

How does Hide My Email work?

Hide My Email is an iCloud+ feature that lets Apple users generate unique email aliases for signing up to websites and online services. Instead of sharing their real email address, users provide an alias, while Apple forwards messages sent to that alias address to their actual inbox.

The alias effectively acts as a privacy layer, allowing users to communicate online without revealing their personal contact information. The feature also allows users to reply to emails with the same anonymity.

The feature is especially beneficial for privacy-conscious individuals who don’t want websites to associate and match their real identities across other services. That level of anonymous confidence is what makes the flaw EasyOptOut discovered serious.

A bug sat unfixed for an entire year

The duo said they first disclosed the vulnerability to Apple in June 2025 and later submitted additional technical details. Apple acknowledged the reports and, over the following year, twice informed the researchers that the issues had been fixed.

According to EasyOptOut, both fixes proved incomplete, as each vulnerability could be reproduced after each patch. The firm had also warned that the issue appeared more severe than originally believed. More recently, Joseph Cox of 404 Media also independently confirmed that the flaw still existed.

The data privacy firm says it will not publish the reproduction details until Apple issues a fix for the vulnerability.

Advertisement

Must-read security coverage

Where does this leave Apple users?

Both researchers have called on Apple to temporarily restrict the creation of new aliases using the Hide My Email feature and to notify iCloud subscribers about the issue. According to the researchers, doing so would reduce the potential attack surface while Apple works on developing a fix.

The researchers did not identify any websites that may have uncovered users’ real email addresses through the flaw. Still, anyone who has relied on Hide My Email to keep their identity separate from online services should consider that their protection may be weakened until Apple confirms the issue has been fully resolved.

For users, that doesn’t necessarily mean abandoning the feature altogether. Instead, it serves as a reminder that privacy tools are only as effective as the protections behind them. Going forward, users should be mindful that the email alias shielding their inbox may not always keep their real address out of reach.

As such, it is best not to use the feature if you’re unsure about the data-handling practices of any online service. As an alternative if you must sign up on a less trusted service, create a sock puppet email.

You may also want to read our coverage of how a data breach at Apple supplier Tata Electronics reportedly exposed confidential iPhone 18 Pro files, raising new concerns about the company’s supply chain security.

Joseph Ofonagoro

Joseph is a technical writer with about three years of experience creating clear, practical content across consumer technology, startups, tutorials, and cybersecurity. He is also advancing a career in cyber threat intelligence, driven by a strong interest in the responsible use of technology and its role in protecting people, organizations, and digital systems. His passion for cybersecurity grew out of a broader commitment to helping others understand technology safely and effectively. As an undergraduate at the National Open University of Nigeria, he leads a community of technology enthusiasts, guiding beginners, sharing learning resources, and helping students build confidence as they explore careers in tech. Joseph’s writing combines technical curiosity with an accessible, beginner-friendly style. In addition to his editorial work, he periodically shares cybersecurity case studies and research reports on social media, covering threat trends, security lessons, and practical insights for readers interested in cyber awareness and digital safety.