Apple “Hide My Email” leaks email addresses, researcher claims

The company seems not to have fixed the issue.
-
Apple's "Hide My Email" feature can be exploited to reveal users' real email addresses.
-
The flaw remains unresolved despite being reported in June 2025.
-
Apple initially claimed to have fixed the issue in March 2026, but the vulnerability persisted.
-
An upcoming change to unify Hide My Email under a new @private.icloud.com subdomain may make the feature even less useful, as some services could refuse to accept emails from that domain.
Apple’s privacy-related feature, “Hide My Email,” isn’t working as intended. It is susceptible to a vulnerability that allows users to see the actual user's email, according to a security researcher
What makes it even more alarming is that the problem appears to have persisted for more than a year after it was first noticed.
“Hide My Email” generates unique email addresses to protect users’ actual email addresses.
These addresses are then used to forward messages to the user’s inbox and to sign up for websites and newsletters without needing to disclose their real email address.
The vulnerability was discovered and reported to Apple by Tyler Murphy, a co-founder of EasyOptOuts, who told 404 Media that the company hadn’t fixed the issue and “we don’t feel comfortable waiting any longer.”
How vulnerable is the Hide My Email feature?
404 Media said it verified the vulnerability, but was not revealing the exact details because it could still be reported at the time of reporting on July 1st.
“Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” Murphy told the website.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The researcher first contacted Apple about this problem in June, 2025, and the company shared that the issue is under review, according to the report.
In March of 2026, Apple announced an update, which said it “addressed the reported issue in a recent system change.”
However, Murphy said that the vulnerability persisted. The company then investigated it until May, also asking the researcher “to not [disclose] this information until [...] investigation is complete.”
Strong password generator
After the company announced that the changes would be introduced in a future security update, Murphy contacted the news outlet about the issue with the feature.
It has previously been reported that “Hide My Email” and “Sign in with Apple” email addresses will be unified under a new, separate subdomain, @private.icloud.com, instead of @icloud.com and @privaterelay.appleid.com.
However, this decision could render them essentially useless, as some services might refuse to accept these emails.
Cybernews has contacted Apple for additional comments.
Unlock more exclusive Cybernews content on YouTube.