Skip to content
Tech News
← Back to articles

Apple 'Hide My Email' vulnerability reveals peoples' real email addresses

read original more articles
Why This Matters

The vulnerability in Apple's 'Hide My Email' service exposes users' real email addresses, undermining the privacy it promises. This highlights the importance of rigorous security testing for privacy-focused features and raises concerns for consumers relying on these tools for anonymity. The delayed response from Apple underscores the need for timely security fixes in widely used privacy services.

Key Takeaways

Apple's Hide My Email service is used by iCloud+ customers around the world to send and receive emails while keeping their personal, permanent email address private. The service generates random, unique email addresses to act as an intermediary between your actual email address and the people you're emailing. For example, you could be given the email address [email protected] to hide your real email address, [email protected]. People use Hide My Email addresses to sign up for accounts and communicate while maintaining privacy and anonymity.

We've discovered vulnerabilities in Hide My Email that allow attackers to discover the meant-to-be-hidden address behind a Hide My Email address. We reported the issue to Apple over a year ago, and as of June 30, 2026, it still hasn't been fixed. About a month ago, we realized that the vulnerabilities' severity and scope are greater than we initially thought. We're publicly disclosing the existence of the vulnerability now because we think Hide My Email users deserve to know that their email addresses may not actually be hidden. We want people to be able to account for this risk when deciding when and how to use Hide My Email. Many thanks to Joseph Cox at 404 Media for acting as a trusted third party to verify and publicize the issue responsibly.

Here's a timeline:

June 11, 2025: We discovered a vulnerability in Hide My Email and reported it to Apple. Apple confirmed that Hide My Email is "not intended by design to allow discovery of the hidden address" and asked for more details.

We discovered a vulnerability in Hide My Email and reported it to Apple. Apple confirmed that Hide My Email is "not intended by design to allow discovery of the hidden address" and asked for more details. June 13, 2025: We submitted a detailed report with reproduction instructions.

We submitted a detailed report with reproduction instructions. June 20, 2025: We submitted more information, hoping it would help Apple troubleshoot.

We submitted more information, hoping it would help Apple troubleshoot. July 9, 2025: We reported a similar but different vulnerability that also allows hidden email addresses to be discovered.

We reported a similar but different vulnerability that also allows hidden email addresses to be discovered. July 14, 2025: Apple sent their first message acknowledging that the vulnerabilities were under review.

Apple sent their first message acknowledging that the vulnerabilities were under review. March 3, 2026: Apple reported that the vulnerabilities were fixed and asked us to verify.

Apple reported that the vulnerabilities were fixed and asked us to verify. March 19, 2026: Using the reproduction instructions from our initial report, we determined that the vulnerabilities hadn't been fixed.

... continue reading