A security flaw in Apple’s Hide My Email service allows attackers to uncover the real email addresses concealed behind generated aliases, and the company has not fixed it despite receiving a detailed report more than a year ago.
Hide My Email is part of Apple’s paid iCloud+ subscription and generates random @icloud.com email aliases to shield users’ actual addresses when registering for websites or services. EasyOptOuts, an online privacy company, discovered the vulnerability and reported it to Apple in June 2025. Apple acknowledged the report but issued no patch.
In March 2026, Apple told EasyOptOuts co-founder Tyler Murphy it had “addressed the reported issue in a recent system change.” Murphy found the flaw persisted. Apple said it was investigating again and, as of May, asked Murphy not to publicly disclose the flaw pending a fix.
“Apple Hide My Email is leaking email addresses that are supposed to be hidden,” Murphy said. “We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.”
404 Media verified the flaw independently on July 1, 2026. In limited tests, 100% of Hide My Email addresses tested were found exploitable. Murphy noted that freely accessible people-search databases, online directories that can link an email address to a person’s name and home address, create a secondary risk for anyone relying on the feature for personal safety.
The disclosure follows a separate June report by TechCrunch that Apple planned to move Hide My Email aliases from @icloud.com to @private.icloud.com, a change that would allow services to identify and block aliases outright.
Apple has not rolled out the migration, and Murphy’s proposal that Apple pause new Hide My Email address creation as an interim safeguard appears to have gone unanswered.






