Skip to content
Tech News
← Back to articles

Major Apple Bug Appears to Disclose All Real Emails for 'Hide My Email' Users

read original more articles
Why This Matters

The discovery of a significant vulnerability in Apple's Hide My Email feature exposes users' real email addresses, undermining privacy protections that are crucial for consumer security. This flaw highlights ongoing challenges in maintaining user privacy in widely used services and underscores the importance of timely security updates from major tech companies. For consumers, it serves as a reminder to remain cautious and vigilant about privacy tools until they are fully secured.

Key Takeaways

A not-so-small vulnerability in Apple's Hide My Email feature lets malicious actors see anyone's real email address, according to reports on Wednesday.

The co-founder of the Easy Opt Out service, Tyler Murphy, who spoke to 404 Media, said Apple has known about the problem for over a year but has not yet fixed the bug.

Hide My Email is an iCloud Plus service (starting at $1 per month), offering tools similar to any disposable or temporary email site. It lets you create an anonymized email address with the icloud.com domain for use when you don't want to share your real email address. The alias then expires after a set amount of time.

Such email aliases are common to ensure privacy when you sign up for new website or app accounts, test out coupons or download free versions of software or trial programs. If that service is later hacked, your real email won't be at stake.

While Murphy didn't give specifics on how the vulnerability works, he told 404 Media that Easy Opt Out had run tests with volunteers and that 100% of the Hide My Email addresses could be used to uncover the real address with basic identity search sites available to anyone. 404 Media did not disclose the details of the security issue because it could still be exploited at the time of its reporting.

Murphy reported that he notified Apple of the problem in June 2025. In March 2026, Apple said that it had addressed the problem, but Murphy found the vulnerability still existed.

By May 2026, Apple was reporting that it was still investigating the problem and requested that Murphy not go public, saying, "To avoid placing our customers at risk, we would appreciate you not disclosing this information until our investigation is complete." Murphy disagreed and unveiled his discoveries.

A representative from Apple did not immediately respond to CNET's request for comment.

If you use Hide My Email, you may want to stop for now. Keep an eye out over the next few months, as an Apple news report says the tech giant is planning updates to the tool this summer. One of those updates involves changing the domain from "icloud.com" to "private.icloud.com."

We're not sure why Apple is making that domain change, but it could make it easier for websites to automatically block any address that includes "private.icloud.com," which could push people into sharing their real email addresses instead of using an alias. That would significantly decrease the feature's value.