

Apple’s Hide My Email feature is facing scrutiny after researchers reported that a vulnerability could expose the original inbox associated with those aliases. This feature was designed to protect user privacy by hiding real email addresses behind random aliases. The issue was first reported in 2025 and has still not been fully fixed despite repeated claims of resolution.
The email feature is part of Apple’s iCloud+ subscription. It allows users to create disposable email addresses while signing up for websites and services. Emails sent to these aliases are forwarded to the user’s real inbox, while the actual email address stays hidden from websites and third parties.
Security researcher Tyler Murphy, co-founder of data removal service EasyOptOuts identified a flaw that can reveal the real email address behind a Hide My Email alias. The issue was reported to Apple on June 11, 2025. Murphy noted that the method allows access to an alias, which can be traced back to the actual inbox receiving those emails.
This undermines the feature's main purpose: keeping personal email addresses private when signing up for online services. Neither Murphy nor the independent verification platform 404 Media has released technical details of the flaw. They reported this was done to avoid wider misuse while the issue remains active.
According to the disclosure record shared by Murphy, Apple first acknowledged the issue in July 2025 and said the behavior was not intended. In March 2026, Apple informed the researcher that the issue had been fixed. However, the next testing showed the problem was still there. Murphy reported it again in the same month and confirmed that the issue may be broader than initially understood.
By late May 2026, Apple requested that the matter not be made public, saying a fix was expected soon. On June 30, 2026, Apple again stated that the issue had been resolved. However, independent testing conducted on July 1, 2026, reportedly found that the vulnerability still worked. The long timeline has raised concerns in the security community, especially after multiple assurances that the issue had already been fixed.
At first glance, exposure of an email address may not appear highly serious. However, security experts say the risk can increase depending on how the feature is used. Hide My Email is commonly used when signing up for unfamiliar websites or services where users prefer not to share their real identity.
It is also used by individuals who need stronger privacy protection, including professionals handling sensitive communications. If an email address is exposed, it can sometimes be linked to personal details through public databases and data broker services. This can increase the likelihood of larger identity exposure beyond the email itself.
Apple is also working on changes to its email privacy system. The company plans to combine Hide My Email and Sign in with Apple relay addresses under a new @private.icloud.com domain. Privacy experts say a dedicated domain could make it easier for websites to identify and block privacy-based email aliases.
This change is not directly related to the reported vulnerability, but it has added to broader questions about the future strength of Apple’s email privacy protections.
The technical details of the exploit have not been made public, which limits the risk of widespread misuse for now. However, researchers caution that users who rely on Hide My Email for privacy should stay cautious until a confirmed fix is released. Apple has not issued a public advisory or shared a clear timeline for a permanent solution.
Also Read: Apple Faces Fresh Privacy Questions Over ‘Hide My Email’ Security Flaw