Apple “Hide My Email” leaks email addresses, researcher claims


The company seems not to have fixed the issue.

Key takeaways:

Apple’s privacy-related feature, “Hide My Email,” isn’t working as intended. It is susceptible to a vulnerability that allows users to see the actual user's email, according to a security researcher

ADVERTISEMENT

What makes it even more alarming is that the problem appears to have persisted for more than a year after it was first noticed.

“Hide My Email” generates unique email addresses to protect users’ actual email addresses.

These addresses are then used to forward messages to the user’s inbox and to sign up for websites and newsletters without needing to disclose their real email address.

The vulnerability was discovered and reported to Apple by Tyler Murphy, a co-founder of EasyOptOuts, who told 404 Media that the company hadn’t fixed the issue and “we don’t feel comfortable waiting any longer.”

apple moves hide my email sign in with apple
Image by Cybernews.

How vulnerable is the Hide My Email feature?

404 Media said it verified the vulnerability, but was not revealing the exact details because it could still be reported at the time of reporting on July 1st.

“Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” Murphy told the website.

ADVERTISEMENT

The researcher first contacted Apple about this problem in June, 2025, and the company shared that the issue is under review, according to the report.

In March of 2026, Apple announced an update, which said it “addressed the reported issue in a recent system change.”

However, Murphy said that the vulnerability persisted. The company then investigated it until May, also asking the researcher “to not [disclose] this information until [...] investigation is complete.”

Strong password generator

Upgrade the security of your online accounts.
Create strong passwords that are completely random and impossible to guess.
Generated unique password
Ad link_title
Convenient way to secure and use all your passwords. Now 72% OFF!

After the company announced that the changes would be introduced in a future security update, Murphy contacted the news outlet about the issue with the feature.

It has previously been reported that “Hide My Email” and “Sign in with Apple” email addresses will be unified under a new, separate subdomain, @private.icloud.com, instead of @icloud.com and @privaterelay.appleid.com.

However, this decision could render them essentially useless, as some services might refuse to accept these emails.

Cybernews has contacted Apple for additional comments.


Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT