Skip to content
Tech News
← Back to articles

Apple’s Hide My Email feature might not be so private after all

read original more articles
Why This Matters

Apple’s Hide My Email feature, designed to protect user privacy by generating anonymous email addresses, has a critical security flaw that could expose users’ primary emails. This vulnerability raises concerns about the effectiveness of privacy features in widely used tech services and highlights the need for timely security patches to protect consumer data. As Apple has yet to fix the issue, users remain at risk of potential privacy breaches.

Key Takeaways

Edgar Cervantes / Android Authority

TL;DR Apple’s Hide My Email feature, which generates one-off email addresses to obscure users’ primary emails, has a significant security vulnerability.

The vulnerability could allow bad actors to uncover users’ primary email addresses using generated Hide My Email addresses.

Apple was first alerted to the vulnerability in June of 2025, but has not patched it.

Apple offers a handy feature called Hide My Email that generates one-off email addresses that redirect to your primary email, giving users a way to share contact information without divulging any personal or account info. That’s how it should work in theory, at least — but a vulnerability that can expose users’ primary email addresses has been discovered, and it doesn’t sound like Apple is in much of a hurry to fix it.

As reported by 404 Media‘s Joseph Cox, the issue was first raised with Apple by personal data removal service EasyOptOuts more than a year ago. Apple’s acknowledged the problem in communication with EasyOptOuts co-founder Tyler Murphy, but as of May, the company said it was still investigating. Murphy told 404 that “in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable.”

Apple’s Hide My Email is available with paid iCloud+ subscriptions and generates randomized addresses that are linked to your main email inbox, but that don’t include your name or any variation of your “real” email address. The privacy implications are obvious: If a generated email address lands on a mailing list you didn’t subscribe to or turns up in a data breach, it’s a much smaller problem to contain than if the permanent email you use to access your iCloud account does.

The report says that Murphy has been in contact with Apple about the vulnerability since last June. Earlier this year, the company told Murphy that it was looking into it and asked him not to publicly share any details about the vulnerability. 404 doesn’t include any details about how the exploit works, but Cox writes that, using the exploit on a freshly generated Hide My Email address, Murphy was able to uncover Cox’s true email address within minutes.

I’ve always wished that more email providers, and Gmail in particular, would offer a similar feature to Hide My Email — there aren’t many people or organizations I want having the email address that’s tied to my primary Google account. You can use aliases to similar effect, but it’s not quite the same. Ideally, if other providers do take a crack at a similar offering, they’ll avoid whatever pitfall that’s been identified in Apple’s system.

Follow