
Apple’s Hide My Email Bug Lets Attackers Uncover Real Email Addresses, Tests Show
Key Takeaways
- Privacy flaw allows unmasking real emails from Hide My Email disposable addresses.
- Unpatched vulnerability since disclosure to Apple over a year ago.
- Affects millions of iCloud+ subscribers, exposing their real addresses.
Unpatched privacy flaw
Apple’s Hide My Email feature, an iCloud+ privacy tool, has a vulnerability that allows attackers to uncover a user’s real email address from the generated disposable ones, according to BigGo Finance and verified by 404 Media.
“A privacy flaw in Apple’s Hide My Email feature means that your real email address can be discovered”
The issue was reported to Apple over a year ago, with Tyler Murphy, co-founder of EasyOptOuts, first alerting Apple in June 2025 and Apple later claiming it had been fixed in March 2026, while further testing found otherwise.

In tests conducted with volunteers, the exploit was successful 100% of the time, meaning every single Hide My Email address tested could be traced back to its owner’s primary inbox, BigGo Finance reported.
Gizmodo reported that Murphy was able to connect the anonymous email to the corresponding Apple account in about five minutes after 404 Media generated a Hide My Email address and shared it with him.
Murphy’s warning
Murphy told 404 Media, as quoted by Gizmodo, "Apple Hide My Email is leaking email addresses that are supposed to be hidden," framing the flaw as a direct breach of the feature’s purpose.
Gizmodo also reported that Murphy said, "We reported the issue and replication instructions to Apple over a year ago," and added that he did not know why it had not been fixed.

BigGo Finance said Apple asked Murphy to keep quiet, promising a fix by June 2026, a deadline that has now passed with no resolution.
Digital Trends reported that as recently as May 2026 Apple told Murphy it was still investigating and asked him not to go public, while 404 Media verified the issue by generating a new Hide My Email address and having Murphy return the real email address about five minutes later.
What’s at stake
BigGo Finance warned that once a real email is linked to a disposable one, it can be cross-referenced with publicly available people-search sites to expose a user’s full name, phone number, physical address, and other personal details.
“A serious security flaw in Apple’s Hide My Email feature, a cornerstone privacy tool for iCloud+ subscribers, has been discovered that allows attackers to unmask a user’s real email address from the generated disposable ones”
The same source said the concern is particularly troubling for journalists, activists, and anyone relying on the feature for safety or anonymity, because the bug undermines the protection Hide My Email is marketed to provide.
Gadget Review added that Murphy went public after Apple promised a fix "in the coming weeks" and that Apple has not issued a public statement on the vulnerability.
Separately, Gizmodo reported that Apple’s Hide My Email addresses are being created with a @privaterelay.appleid.com domain and that TechCrunch said Apple is stopping generation with the @icloud.com domain and instead using @private.icloud.com, a change that could make it easier for websites to block these signups.
More on Technology and Science

Typhoon Bavi Kills At Least 15 in Philippines as It Threatens Taiwan and Japan
19 sources compared

Wildfire Kills At Least 12 Near Los Gallardos, Leaving 23 Missing In Andalusia
41 sources compared

OpenAI Sunsets ChatGPT Atlas Browser, Pivots to ChatGPT Desktop App With ChatGPT Work
13 sources compared

FTC And Five States Reach 10-Year Right-To-Repair Settlement With Deere & Company
10 sources compared