Apple’s Hide My Email Bug Lets Attackers Uncover Real Email Addresses, Tests Show
Image: Межа. Новини України.

Apple’s Hide My Email Bug Lets Attackers Uncover Real Email Addresses, Tests Show

01 July, 2026.Technology and Science.19 sources

Key Takeaways

  • Privacy flaw allows unmasking real emails from Hide My Email disposable addresses.
  • Unpatched vulnerability since disclosure to Apple over a year ago.
  • Affects millions of iCloud+ subscribers, exposing their real addresses.

Unpatched privacy flaw

Apple’s Hide My Email feature, an iCloud+ privacy tool, has a vulnerability that allows attackers to uncover a user’s real email address from the generated disposable ones, according to BigGo Finance and verified by 404 Media.

A privacy flaw in Apple’s Hide My Email feature means that your real email address can be discovered

9to5Mac9to5Mac

The issue was reported to Apple over a year ago, with Tyler Murphy, co-founder of EasyOptOuts, first alerting Apple in June 2025 and Apple later claiming it had been fixed in March 2026, while further testing found otherwise.

Image from 9to5Mac
9to5Mac9to5Mac

In tests conducted with volunteers, the exploit was successful 100% of the time, meaning every single Hide My Email address tested could be traced back to its owner’s primary inbox, BigGo Finance reported.

Gizmodo reported that Murphy was able to connect the anonymous email to the corresponding Apple account in about five minutes after 404 Media generated a Hide My Email address and shared it with him.

Murphy’s warning

Murphy told 404 Media, as quoted by Gizmodo, "Apple Hide My Email is leaking email addresses that are supposed to be hidden," framing the flaw as a direct breach of the feature’s purpose.

Gizmodo also reported that Murphy said, "We reported the issue and replication instructions to Apple over a year ago," and added that he did not know why it had not been fixed.

Image from AppleInsider
AppleInsiderAppleInsider

BigGo Finance said Apple asked Murphy to keep quiet, promising a fix by June 2026, a deadline that has now passed with no resolution.

Digital Trends reported that as recently as May 2026 Apple told Murphy it was still investigating and asked him not to go public, while 404 Media verified the issue by generating a new Hide My Email address and having Murphy return the real email address about five minutes later.

What’s at stake

BigGo Finance warned that once a real email is linked to a disposable one, it can be cross-referenced with publicly available people-search sites to expose a user’s full name, phone number, physical address, and other personal details.

A serious security flaw in Apple’s Hide My Email feature, a cornerstone privacy tool for iCloud+ subscribers, has been discovered that allows attackers to unmask a user’s real email address from the generated disposable ones

BigGo FinanceBigGo Finance

The same source said the concern is particularly troubling for journalists, activists, and anyone relying on the feature for safety or anonymity, because the bug undermines the protection Hide My Email is marketed to provide.

Gadget Review added that Murphy went public after Apple promised a fix "in the coming weeks" and that Apple has not issued a public statement on the vulnerability.

Separately, Gizmodo reported that Apple’s Hide My Email addresses are being created with a @privaterelay.appleid.com domain and that TechCrunch said Apple is stopping generation with the @icloud.com domain and instead using @private.icloud.com, a change that could make it easier for websites to block these signups.

More on Technology and Science