Cybersecurity

Apple’s Hide My Email Service Exposed Users’ Real Email Addresses

Apple’s privacy feature Hide My Email, designed to protect users’ real email addresses by generating unique forwarding aliases, has been found leaking those real addresses for at least a year. Security researcher Tyler Murphy disclosed the persistent vulnerability this week, noting that the flaw makes it possible to trace a Hide My Email address back to the creator’s personal email.

What Happened

Hide My Email, launched by Apple in 2021, allows users to sign up for online services with randomized @icloud.com email addresses that forward messages to their real inboxes. However, research published by 404 Media revealed recently that these alias emails have been exploitable since at least June 2025, enabling attackers to discover the actual linked email. Murphy reported the issue to Apple in mid-2025 and was initially told it was addressed by March 2026. Yet, continued tests showed the flaw remained exploitable months later, with Apple still investigating as of two months ago. The exact technical details of the vulnerability remain undisclosed, as the problem has yet to be fully resolved. Apple has not commented on the findings.

Key Facts

Tyler Murphy conducted controlled tests with volunteers, finding all tested Hide My Email addresses to be vulnerable. The flaw allows newly created Hide My Email addresses under the @icloud.com domain to be linked back to the user’s real email address. Apple received the vulnerability report in summer 2025 and initially claimed the issue was fixed by early 2026. Despite this, the security gap persists, with no official CVE number or patch released so far. The discovery was reported publicly by 404 Media in July 2026. The researcher declined to share exploit details to avoid further risks. Apple has not issued a security advisory or formal update related to this vulnerability.

What This Means

This vulnerability undermines a core privacy benefit offered by Apple’s Hide My Email service, potentially exposing the real contact information users sought to conceal. The ability to link randomized aliases directly back to real email accounts could facilitate targeted phishing attempts, spam, or identity exposure. For individuals relying on the service for online anonymity or data privacy, this breach represents a significant risk to personal security. It also erodes trust in Apple’s privacy promises amid growing scrutiny of tech firms’ security practices. The lingering nature of the flaw despite being reported demonstrates the challenges of promptly patching privacy features embedded in cloud services. Users of Hide My Email should remain cautious about the data they share and consider additional safeguards, such as using third-party anonymous email services, until Apple fully remediates the issue.

What Remains Unclear

The full scope of impacted users is not publicly known, nor is the extent to which malicious actors may have exploited the vulnerability during the past year. It remains unclear how widely the flaw can be leveraged beyond controlled testing conditions. There is no information on whether Apple has notified all affected users or plans to do so. Details about the root cause and exact exploit mechanisms have been withheld. It is also uncertain when or if Apple will release an official patch and security advisory addressing the issue.

Sources

This article is based on reporting and publicly available information from the following sources:

Read more Cybersecurity stories on Goka World News.

Ethan Clarke
About the editor

Ethan Clarke

Ethan Clarke Role: Cybersecurity Editor Ethan Clarke covers cybersecurity incidents, data breaches, online threats, ransomware, software vulnerabilities, and digital safety. His reporting focuses on confirmed details, affected systems, official advisories, and practical context without making unsupported accusations.

View all posts by Ethan Clarke