Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster


A flaw in Apple's Hide My Email service can reportedly allow almost anyone to uncover the real email address behind a generated alias, and Apple has failed to address it for more than a year since it was first reported.

General-macOS-Mail-Feature.jpg

404 Media is withholding the technical specifics of the vulnerability because it remains exploitable, but the publication verified the issue this week using one of its own Hide My Email addresses. In tests with volunteers by the researcher who discovered the flaw, 100% of Hide My Email addresses were found to be exploitable.

Tyler Murphy, co-founder of EasyOptOuts, discovered the issue and responsibly reported it to Apple in June 2025, along with instructions to replicate it. Apple acknowledged the report a month later and said it was investigating. Murphy said:

Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.

Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk.

In March 2026, Apple told Murphy it had "addressed the reported issue in a recent system change," but Murphy found the flaw had not in fact been closed. He provided further information, and Apple replied again to say it was still investigating.

In May, Apple once more said the issue remained under investigation and asked Murphy not to disclose it publicly until the inquiry was complete. Murphy proposed that Apple suspend the creation of new Hide My Email addresses as an interim measure to limit customer risk, but there is no indication that suggestion was acted on. By the end of May, Apple said it expected to address the issue in a security update "expected in the coming weeks."

Hide My Email is an iCloud+ feature that lets users generate random alias email addresses, primarily for use when signing up to services or corresponding with third parties. It is designed to protect a user's real email address from spam, data breaches, and unwanted identification.

Murphy noted that numerous people-search databases are freely available online and can tie an email address to a person's other personal details, meaning anyone depending on Hide My Email for their safety may be more exposed than they realize. Last month, it emerged that Apple's decision to move Hide My Email to a dedicated "private.icloud.com" domain appears to have the consequence of making it easier for platforms that want to block iCloud aliases to do so.

Article Link: Apple Hide My Email Vulnerability Exposes Real Email Addresses
 
Last edited:
Well, this is interesting. I don't use the service to hide so much as I use it to avoid spam to my actual iCloud address. Most of my communication is with my non-Apple email but with hide my, it seemed to be a good option for services I didn't want to share my regular email or to speed the login process. Hope this is fixed soon.
 
“We don't know why it hasn't been fixed…”

It hasn’t been fixed because Apple don’t fix bugs.

There are countless text editing/entry bugs in iOS/iPadOS that appeared during iOS 18 and were never fixed to this day.

I’m also still suffering corrupt iMessage conversations on iPhone when the addressee has both iMessage on a Mac and RCS on a droid phone, mixed back & forth in a conversation (I can’t send iMessages to ONE person, only, on my iPhone, but it works on all other devices, and the same recipient CAN get iMessages from me in a shared/group conversation on my iPhone). This started in iOS 18, still not fixed. Deleting and creating a new conversation used to correct it in iOS 18 but not in iOS 26. When it fails to send from iPhone, it fails entirely SILENTLY, with no error messages.

I could list countless bugs they’ve never fixed across major OS revisions. Apple don’t care. All they want to do is push people to buy the same devices over and over, by throwing “new features” at us that show up broken and never get fixed, and subscribe to services, like this “service” being shown as broken in this article.
 
Would be nice to know whether deactivating a HME address limits vulnerability to this.

Most plausible theory I've seen someone come up with this morning given my limited knowledge is that someone can send a "malformed" email to a HME address and get back a bounced email that reveals the address being forwarded to.
 
This is very unfortunate. I painstakingly decoupled each of my vendor (Amazon, Target, etc.) accounts to individual HideMy addresses, sandboxing them on a 1 to 1 basis. That way, if there is a data breach, I can easily retire the specific address associated with that particular vendor account and create a new one with minimal effort and no collateral damage. I currently have 81 unique HideMy address that forward to my main iCloud account. Ugh.
 
This is the kind of thing that seriously undermines any claim that Apple is the “privacy” choice for consumers.
I use “Hide my Email” regularly, so learning about this is really maddening. Apple management obviously doesn’t see it as a serious issue if they allowed it to linger this long. How big of a chunk of salt are expected to bring along when we listen to their ads, like the ones running currently regarding Safari and trackers, for example?
 
There is such an easy solution for this. Just create an email account that you don't care and use that one. I have many and one specific for websites that ask you for an email address and I do not want to get emails from them. Easy and they can send me whatever they want. I also have an email for online shopping only. Yes, they can send all the crap they want and I also don't care.
 
Would be nice to know whether deactivating a HME address limits vulnerability to this.

Most plausible theory I've seen someone come up with this morning given my limited knowledge is that someone can send a "malformed" email to a HME address and get back a bounced email that reveals the address being forwarded to.
Based on the focus on people search databases, my guess is that data aggregators and web trackers are good enough to tie the alias address to other unique characteristics (cross-site tracking cookies, browser dimensions/attributes, etc.) that they are able to associate the Hide My Email address with other unique personally identifiable information, effectively deanonymizing the user.
 
This 👆 from @xpxp2002 is where my mind went

Sounding like "hide my email" is akin to individuals doing recycling.

(vs industry and/or systemic changes)

It feels good, but mostly isn't doing much to address the actual goal.
 
  • Like
Reactions: jfgi
This is the kind of thing that seriously undermines any claim that Apple is the “privacy” choice for consumers.
I use “Hide my Email” regularly, so learning about this is really maddening. Apple management obviously doesn’t see it as a serious issue if they allowed it to linger this long. How big of a chunk of salt are expected to bring along when we listen to their ads, like the ones running currently regarding Safari and trackers, for example?

This has me wondering what else there might be if they can't get this issue right.


Based on the focus on people search databases, my guess is that data aggregators and web trackers are good enough to tie the alias address to other unique characteristics (cross-site tracking cookies, browser dimensions/attributes, etc.) that they are able to associate the Hide My Email address with other unique personally identifiable information, effectively deanonymizing the user.

I dunno. The 404 article says the reveal only takes 5 minutes:

"To test the issue I generated a new Hide My Email address and provided it to Murphy. Around five minutes later, he replied with my real email address linked to my Apple account which was supposed to be hidden."
 
Would be nice to know whether deactivating a HME address limits vulnerability to this.

Most plausible theory I've seen someone come up with this morning given my limited knowledge is that someone can send a "malformed" email to a HME address and get back a bounced email that reveals the address being forwarded to.
That would be such an easy fix that Apple's lack of a fix would border on maliciousness. As is, waiting over a year is beyond incompetent for such a massive company.
 
Is this possibly related to the upcoming private.icloud.com domain change? The timing seems coincidental. Perhaps the exploit is a fundamental problem and they can’t fix it.

The real issue on the privacy stuff, that is a constant tension for Apple, is that consumers SO often really enjoy the product benefits they can get when their info is used extensively.
 
  • Like
Reactions: Mr_Ed
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.