Apple Hide My Email Vulnerability Can Expose Real Email Addresses, Researcher Says
A reported vulnerability in Apple’s Hide My Email feature can reveal the real email address behind a private relay alias, according to 404 Media and researcher Tyler Murphy.
Murphy, co-founder of EasyOptOuts, said he reported the issue to Apple more than a year ago. 404 Media said it tested the bug against one of its own hidden email addresses and confirmed that the issue remained exploitable as of Monday.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The exact method has not been published because the flaw was still active when the report went live. That keeps the article from becoming a step-by-step guide for abuse, but it also leaves Hide My Email users with an important privacy warning.
What Hide My Email Is Supposed To Do
Hide My Email is an iCloud+ privacy feature that creates unique relay addresses. Apple says Hide My Email forwards messages to a user’s personal inbox while keeping the personal email address private.
The feature works in several Apple services and apps. Apple’s iCloud guide says users can create and manage unique, random email addresses on iPhone, iPad, Mac, and iCloud.com.
People often use these aliases to sign up for websites, newsletters, apps, stores, and online services without handing over their main email address. If one alias starts receiving spam, the user can turn it off without replacing their primary inbox.
| Feature | Expected privacy benefit | Reported risk |
|---|---|---|
| Hide My Email alias | Hides the user’s real email address from apps and websites | The real address may be discoverable through the reported flaw |
| Email forwarding | Lets users receive messages without exposing their inbox | Attackers could link an alias back to the private inbox |
| Unique addresses | Separates accounts across different services | Aliases may become weaker identifiers if they can be resolved |
| Alias management | Lets users disable addresses that receive spam | Disabling an alias may not undo exposure of the real address |
Why The Reported Bug Matters
The reported flaw cuts at the main promise of the feature. If someone can resolve a Hide My Email alias back to the real address, the alias no longer acts as a strong privacy boundary.
That creates risks for people who use different aliases to separate personal, professional, political, financial, or sensitive accounts. It can also help advertisers, data brokers, scammers, or stalkers connect accounts that a user intended to keep separate.
The risk becomes more serious for journalists, activists, whistleblowers, victims of harassment, and people trying to reduce their exposure online. For those users, email privacy can affect physical safety, not only spam volume.
Apple Was Told About The Issue In 2025
According to 404 Media, Murphy reported the vulnerability to Apple in June 2025 and provided reproduction instructions. He later decided on partial disclosure after the issue remained unresolved.
AppleInsider reported that Apple told Murphy in March 2026 that it had addressed the issue in a recent system change. Murphy then found the problem still worked and sent Apple more information.
The same report says Apple later told Murphy it was still investigating the issue and expected to address it in a security update. Apple did not provide a public mitigation for users at the time of those reports.
- The issue was reportedly discovered in June 2025.
- Murphy reported the flaw to Apple with reproduction details.
- Apple reportedly said in March 2026 that it had addressed the issue.
- Murphy later found that the weakness still remained.
- 404 Media verified the issue with one of its own hidden email addresses.
What Users Should Assume For Now
Users should not treat Hide My Email as a fully anonymous identity system. It can still reduce casual exposure, spam, and routine tracking, but the new report suggests it may not protect against a determined person trying to uncover the linked real address.
Apple’s documentation says Hide My Email keeps a user’s personal email address private when used through Sign in with Apple. The reported weakness challenges that expectation in cases where an attacker has the alias and knows how to test it.
Users who relied on aliases for sensitive accounts should review where they used them. They should also consider replacing the real forwarding inbox behind high-risk aliases with an address that does not reveal personal identity.
| User type | Risk level | Recommended action |
|---|---|---|
| Casual users | Moderate | Keep using aliases for spam reduction, but avoid assuming anonymity |
| Privacy-conscious users | High | Review sensitive accounts and separate them from identifying inboxes |
| Journalists and activists | Very high | Use dedicated email identities and stronger operational security |
| Businesses | Moderate | Warn staff not to rely on Hide My Email for confidential workflows |
Apple Is Also Changing Hide My Email Domains
The vulnerability report arrives shortly after Apple announced a separate change to Hide My Email. On June 15, Apple said new relay addresses for Sign in with Apple and iCloud+ Hide My Email will move to a shared private.icloud.com domain later this summer.
Apple said existing addresses on older domains will keep working and continue forwarding messages. Developers and email providers have been told to update validation, allowlists, filtering, and routing rules so messages sent to the new domain are accepted.
Privacy advocates have raised a separate concern about that domain change. TechCrunch noted that moving private aliases to a dedicated domain could make it easier for websites to identify and block anonymous sign-ups.
The Vulnerability Is Different From Law Enforcement Disclosure
This reported bug should not be confused with legal requests for account records. In March, TechCrunch reported that Apple provided federal agents with records linking Hide My Email aliases to real account information in response to legal process.
That earlier case showed that Apple can hold account linkage data needed to operate the relay service. The new vulnerability report is different because it claims an attacker may be able to discover the real address without a court order or insider access.
Together, the two cases highlight a practical limit of email relay systems. They can reduce what apps and websites see, but they do not make email identity unlinkable in every situation.
Steps Hide My Email Users Can Take
Apple has not published user-facing mitigation steps for this specific reported vulnerability. Until it does, users should lower their trust in existing Hide My Email aliases for sensitive accounts.
The safest response is to treat existing aliases as potentially linkable to the real forwarding address. Users can still benefit from spam control, but they should avoid using those aliases as proof that their real identity remains hidden.
- Review aliases used for sensitive services, forums, newsletters, or accounts.
- Change the forwarding address for high-risk aliases where possible.
- Use a separate email account for sensitive activity instead of forwarding everything to a personal inbox.
- Disable old aliases that no longer serve a purpose.
- Avoid using a real name or identifying inbox behind privacy-focused aliases.
- Watch for phishing attempts sent to both an alias and the real address.
- Use end-to-end encrypted tools for conversations that need strong confidentiality.
What Apple Needs To Clarify
Apple needs to explain whether the reported weakness has been fixed, when users should expect a security update, and whether any real email addresses may have been exposed through exploitation.
The company should also clarify whether the upcoming private.icloud.com change relates to the vulnerability or only to service architecture. Apple’s public developer notice does not frame the domain change as a security fix.
The issue also raises broader questions about privacy marketing. A feature can be useful for reducing spam and limiting routine data sharing, while still falling short for users who need protection from targeted deanonymization.
Bottom Line
Hide My Email remains useful for reducing direct exposure of a personal inbox during everyday sign-ups. However, the reported vulnerability means users should not rely on it as a strong anonymity tool until Apple provides a clear fix and public guidance.
People who used Hide My Email for sensitive accounts should review those accounts now. The practical goal is to reduce the damage if an alias can be tied back to a real address.
Apple’s iCloud setup guide shows how users can view and manage Hide My Email addresses across devices. That review should now become part of basic privacy hygiene for anyone who relied on the feature heavily.
FAQ
A researcher says a vulnerability in Apple’s Hide My Email feature can reveal the real email address behind a private relay alias. 404 Media said it verified the issue but withheld exploit details because the flaw was still active.
Tyler Murphy, co-founder of EasyOptOuts, reportedly discovered the issue and reported it to Apple in June 2025 with reproduction instructions.
Hide My Email can still help reduce spam and routine exposure of your personal inbox. However, users should not treat it as a strong anonymity tool until Apple confirms a fix for the reported flaw.
Apple had not published a public user-facing mitigation for the specific reported vulnerability at the time of the reports. Apple reportedly told the researcher it was investigating and expected to address the issue in a security update.
Users should review aliases tied to sensitive accounts, avoid relying on aliases for anonymity, consider using a separate non-identifying email account for sensitive activity, and disable old aliases they no longer need.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages