NEWS
Apple’s Hide My Email Has Been Leaking Real Addresses for Over a Year
Apple has known since June 2025 that any Hide My Email alias can be unmasked in about five minutes. The fix has not shipped in over a year.
Apple markets “Hide My Email” as a privacy shield for paying iCloud+ subscribers, a way to give every signup form and unknown sender a throwaway address that never exposes the real inbox. A vulnerability reported and verified this week shows how thin that shield is: a flaw that lets an attacker reverse-engineer the real email address behind almost any Hide My Email alias in roughly five minutes. The data-removal firm that first reported the issue to Apple says it reproduced the unmasking with a 100% success rate in limited tests.
Five Minutes to Unmask
The disclosure originates with EasyOptOuts, a data-removal service whose co-founder Tyler Murphy discovered the flaw and reported it to Apple’s security desk in June 2025 with step-by-step reproduction instructions. To verify the issue before going public, 404 Media reporter Joseph Cox generated a fresh Hide My Email alias and handed the address to Murphy. Murphy extracted Cox’s real Apple ID email within about five minutes. 9to5Mac reported that “tests found 100% of generated addresses allowed an attacker to reveal the real email associated with the Apple account.”
The investigation that reproduced the flaw on a hidden email alias is keeping the specific reproduction steps under wraps because the flaw remains live as of publication. The publication’s account of the disclosure timeline names Apple as repeatedly asking the researchers to hold off until a fix was ready. Murphy had asked Apple to suspend new Hide My Email creation as an interim step, with no public acknowledgement from the company before the disclosure.
Apple documents Hide My Email as a way for users to “create unique, random email addresses to use with apps, websites, and more so your personal email can stay private.” The feature is paid for through iCloud+, sits inside Apple’s Mail and Settings apps, and forwards every reply to the user’s real inbox. With every alias in Murphy’s pool leaking the underlying address, the product description has been put in tension with what 404 Media reproduced on its own account.

A Year of Broken Fixes
The researcher at the centre of the disclosure had wanted the fix to land quietly. Tyler Murphy filed the first vulnerability report to Apple’s security desk on June 11, 2025, with Apple representatives confirming on the same call that Hide My Email is “not intended by design to allow discovery of the hidden address.” Apple’s first acknowledgement that the vulnerabilities were under review arrived a month later, on July 14, 2025.
That trust between researcher and vendor frayed in the spring of 2026. The full reproduction-and-disclosure timeline published alongside the report shows Apple told the team in March 2026 the issue was closed. EasyOptOuts re-ran the original reproduction the same month and found the vulnerability was still present. Apple’s response to escalating severity evidence was to ask the researchers to stay quiet while the investigation continued.
- June 11, 2025: EasyOptOuts reports a vulnerability in Hide My Email to Apple’s security desk. Apple confirms the feature is “not intended by design” to allow discovery of the underlying address.
- June 13, 2025: Detailed reproduction instructions submitted to Apple.
- July 9, 2025: A second, related vulnerability that also allows hidden address discovery is reported.
- July 14, 2025: Apple’s first message acknowledging that the vulnerabilities are under review.
- March 3, 2026: Apple tells EasyOptOuts the issues have been fixed and asks for verification.
- March 19, 2026: EasyOptOuts tests again and determines the vulnerabilities still work.
- May 22, 2026: EasyOptOuts reports the vulnerabilities’ greater severity and scope to Apple.
- End of May 2026: Apple promises a security update “in the coming weeks” and asks for continued silence.
- June 30, 2026: Apple again says the issues are fixed; EasyOptOuts verifies the same day that the vulnerabilities still work; researchers go public.
By the end of May, Apple’s public posture was a security update “in the coming weeks.” Murphy proposed pausing creation of new Hide My Email addresses, or warning existing users, until the patch shipped. No public acknowledgement from Apple followed. On June 30, 2026, Apple told the team the issue was fixed for the second time. EasyOptOuts verified the same day that the vulnerability was still present as originally described, with the researchers going public the day after.
We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.
That statement came from Tyler Murphy, co-founder of EasyOptOuts, in quotes carried by 404 Media and republished by MacRumors. Apple had not returned a request for comment on the disclosure to several outlets by the time the story broke.
Why an Alias Leak Cuts Deeper Than Spam
Subscribers signed up for Hide My Email for specific privacy reasons. Apple’s iCloud+ page markets the feature as a way to keep a personal inbox private from apps, websites, and services a subscriber does not fully trust. An email alias that forwards everything is an effective fit for that purpose, so long as the alias itself stays private. What 404 Media reproduced in its own tests puts that fit in question.
Free, publicly accessible people-search databases make it straightforward to link an email to a name, a phone number, a home address, and other records. Murphy and 404 Media both flagged this combination as the underlying risk: an attacker who collects a Hide My Email alias from a public signup, a forum post, or a leaked data broker file can hand it to a people-search engine and come out with a personal profile attached to the real iCloud inbox. The feature that was supposed to be a wall ends up advertising the inbox it was meant to protect.
The exposure lands harder on users who picked Hide My Email for safety reasons. Apple’s iCloud+ documentation encourages subscribers with high-stakes anonymity needs to rely on the feature. EasyOptOuts and 404 Media both flagged people-search databases as a route from a single alias to a real personal profile. Apple had not responded to a request for comment on the disclosure by the time the story broke.
Apple’s Quiet Domain Move
The week of June 16, 2026, Apple told developers about a quieter change to the same feature. The company said it would, in the coming weeks, move all newly generated Hide My Email addresses to a new domain, @private.icloud.com. Existing addresses would continue to forward mail without interruption, and Apple framed the move as a way to keep generated aliases working through app and email filters.
The reason aliases on @icloud.com have worked in the first place is that any party receiving a random address on that domain cannot tell an alias apart from a regular iCloud user’s address. The new domain strips that anonymity away at the receiving end, with site owners and app developers able to recognize a private alias as such, flag it, throttle it, or refuse it at signup. Apple’s developer note moving aliases to a separate domain told providers to update filtering so emails to existing customers keep flowing. Apple did not respond to TechCrunch’s request for comment about the change, with several Apple users on Reddit criticizing the move on grounds it would weaken the anonymity the feature existed to provide.
What iCloud+ Users Can Do Right Now
EasyOptOuts has recommended that subscribers change how they use the feature while the underlying flaw remains live. Apple has not announced it is acting on the suggestion, leaving subscribers to choose which mitigations make sense for them. Existing aliases remain in place for forwarding, so disabling the feature outright would also disrupt any in-flight conversations tied to those aliases.
- Pause new Hide My Email creation until a fix ships.
- Keep real-inbox identifiers out of any indexed public field.
- Prefer a separate alias provider for accounts tied to finances or identity documents.
- Avoid handing a Hide My Email address to anyone you do not already trust.
- Treat any alias already given to a public signup as exposed.
Apple typically bundles security fixes into iOS and macOS updates. The recent iOS 26.5.2 security update, which closed a separate batch of 29 vulnerabilities across WebKit and other components, sets the cadence the next security release is likely to follow. The EasyOptOuts disclosure and Apple’s @private.icloud.com Reddit criticism landed in close succession, with no joint statement from Cupertino tying the two changes together. Apple has not publicly responded to a request for comment linking the EasyOptOuts timeline with the new domain.
Until any patch lands, subscribers have only the option to harden what the aliases do receive. Tighten iPhone Mail filters against alias-routed spam, with the trade-off that legitimate signups and shipping notifications land alongside the spam. For accounts already tied to a Hide My Email address, switching to a separate alias service for finances or government forms is a sensible hedge before more is known about how Apple intends to close the unmasking gap. Existing aliases continue to forward mail until disabled individually through Settings in iOS. Disabled aliases can be re-enabled at any time if the subscriber decides they want incoming mail from that alias again.
Frequently Asked Questions
What is Apple’s “Hide My Email”?
Hide My Email is the paid iCloud+ feature that lets a subscriber generate a random @icloud.com address for any signup, with mail from that alias forwarded automatically to the subscriber’s real inbox. Apple pitches the feature as a way to keep a personal email private from the apps, websites, and people that handle the alias.
Who discovered the Hide My Email vulnerability?
Tyler Murphy, co-founder of the data-removal service EasyOptOuts, identified the flaw and first reported it to Apple’s security desk on June 11, 2025. 404 Media reporter Joseph Cox independently verified the exploit in late June 2026 by generating a fresh Hide My Email alias and handing it to Murphy, who returned Cox’s real iCloud address in roughly five minutes.
Is Apple fixing the vulnerability?
Apple has told EasyOptOuts twice, in March 2026 and again on June 30, 2026, that the issue was fixed. EasyOptOuts verified after each of those statements that the flaw still worked using the same reproduction instructions. Apple told the researchers in May 2026 that a security update would arrive “in the coming weeks,” and any patch would, by Apple’s usual practice, arrive in the next iOS or macOS security release.
Should I keep using Hide My Email?
Existing aliases continue to forward mail, so most subscribers do not need to disable the feature outright. EasyOptOuts recommends pausing creation of new Hide My Email addresses until a fix ships, avoiding the feature for accounts tied to finances or identity documents, and treating any alias already handed to a public signup as exposed.
How does Apple’s plan to move aliases to private.icloud.com fit in?
Separately from the disclosure, Apple told developers the week of June 16, 2026 that newly generated Hide My Email addresses would move to a dedicated @private.icloud.com domain. Existing addresses keep working unchanged. Critics on Reddit argued the move would make it easier for services to block the private aliases outright, a concern Apple did not address in its note or in response to press inquiries.
-
FINANCE4 weeks agoZcash Patched a Double-Spend Bug as ZEC Climbed 5%
-
ENTERTAINMENT4 weeks agoSteam Summer Sale 2026 Locks In June 25 to July 9 Dates
-
NEWS2 months agoMeta Adds AI Replies to Threads, But Users Can’t Block It
-
ENTERTAINMENT1 month ago‘Widow’s Bay’ Review: Apple TV’s Sleeper Horror-Comedy Earns Its Fog
-
ENTERTAINMENT4 weeks agoAmazon Scraps Its Stargate Revival After a 20-Week Writers Room
-
FINANCE4 weeks agoCitigroup Says ETF Outflows Drove Bitcoin’s Crash, Not Strategy’s Sale
-
FINANCE4 weeks agoCLARITY Act Floor Vote Likely Shifts to August, Lummis Says
-
FINANCE4 weeks agoCoinbase Invests in Ethena, ENA Jumps 10% on Open-Market Buy
