Mobile menu toggle

Apple’s Hide My Email has been leaking real addresses for a year

By

A photo of Apple's Hide My Email feature used in a story about a security exploit affecting the service for almost more than a year.
Hide My Email is supposed to keep your real address off signup forms — but a year-old bug means it may not be doing that.
Photo: Apple

Apple’s Hide My Email has one job — to keep your real inbox out of other people’s hands. But it isn’t doing that job, and Apple reportedly knew this for more than a year.

If you’ve ever used Hide My Email to sign up for a sketchy app or website, you’ll want to pay attention. A security researcher says he managed to unmask the real email address behind virtually every Hide My Email alias. And Apple hasn’t fixed it yet.

Hide My Email’s core promise is broken

Hide My Email is one of the useful perks bundled with iCloud+. Instead of sharing your real email with every website you sign up for, it generates a random, disposable address that ends with @icloud.com. The feature also automatically forwards mail to your real inbox.

A lot of iPhone owners use it to cut down on spam and keep their real email addresses off services.

But the privacy trick is what’s currently broken. Tyler Murphy, the co-founder of the opt-out service EasyOptOuts, says he was able to reliably trace the real accounts behind Hide My Email addresses.

And in tests with volunteers, Murphy said he was able to exploit every single hidden address he tried.

Apple has been “looking into it” for a year now

A timeline reported by 404 Media suggests Murphy had flagged the problem back in June 2025. In March, Apple told him that the bug had been resolved through a recent system update. It hadn’t.

Murphy sent more proof, and Apple once again went quiet, asking him not to go public while the company looked into it. At the end of May, Apple had told Murphy that it had planned a fix “in the coming weeks.” That deadline came and went, which is why Murphy finally went public this week.

“Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” Murphy told 404 Media. The publication then verified the claims, saying the exploit worked against their own hidden addresses. But Apple is yet to comment on the matter.

This affects more than just your inbox

An exposed email address isn’t scary — it’s what people do with it that matters. Data brokers can use an email as the starting point to pull together sensitive information like your name, home address, and phone number.

If you signed up for Hide My Email to stay off those sites, the exploit undermines the whole point. Moreover, there’s no timeline for when the flaw will actually be patched.

Apple is signaling that it is moving away from the current setup. Recently, the company confirmed that future Hide My Email addresses will switch from the @icloud.com domain to @private.icloud.com.

The change is welcomed by many, but it comes with a trade-off — services will find it easier to detect and block signups from Hide My Email addresses.

For now, if you rely on Hide My Email for anything sensitive, make sure to treat those addresses as less private than advertised — at least until Apple confirms it has fixed the issue.

Comments

Your email address will not be published. Required fields are marked *

  • Subscribe to the Newsletter

    Our daily roundup of Apple news, reviews and how-tos. Plus the best Apple tweets, fun polls and inspiring Steve Jobs bons mots. Our readers say: "Love what you do" -- Christi Cardenas. "Absolutely love the content!" -- Harshita Arora. "Genuinely one of the highlights of my inbox" -- Lee Barnett.