It turns out one of Apple’s privacy features may not be as secure as users thought.
Apple’s Hide My Email feature currently has a vulnerability that can reveal users’ real email addresses, 404 Media reports.
Hide My Email is an iCloud+ feature that lets users create unique, random email addresses when signing up for apps, websites, and other online accounts. Messages sent to those addresses are then automatically forwarded to the user’s real inbox.
On its support page, Apple says Hide My Email is designed to let users keep their “personal email address private.”
But the privacy company EasyOptOuts told 404 Media that it discovered a vulnerability in the service that could let someone uncover the real email address tied to a Hide My Email alias.
404 Media did not disclose details of the exploit because the bug has not yet been fixed. However, the outlet verified the vulnerability by generating a Hide My Email address and sharing it with EasyOptOuts co-founder Tyler Murphy. Murphy was then able to connect the anonymous email to the corresponding Apple account in about five minutes.
The most shocking part is that Apple has reportedly known about the issue for more than a year and still has not fixed it.
“Apple Hide My Email is leaking email addresses that are supposed to be hidden,” Murphy told 404 Media. “We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.”
Murphy added that publicly accessible people-search sites make it easy for potential attackers to connect the leaked email addresses to users’ other personal details.
According to 404 Media, Murphy first notified Apple about the issue in June 2025. Apple responded a month later and said it was looking into the issue. Then, in March of this year, Apple reportedly told Murphy that the issue had been addressed in a recent system change. Murphy, however, found that the vulnerability was still not fixed.
In May, Apple reportedly asked Murphy not to disclose the exploit because it was still investigating. By the end of that month, Apple said it planned to fix the issue in a future update “in the coming weeks.”
Apple did not immediately respond to a request for comment.
News of the bug also comes shortly after Apple made a change to Hide My Email that could make the feature less effective.
TechCrunch reported last month that Apple told developers it’s going to stop generating these anonymous emails with the @icloud.com domain and instead use @private.icloud.com. Apple’s support page now says the email addresses are being created with a @privaterelay.appleid.com domain. TechCrunch pointed out that this change would make it easier for websites to block the use of these anonymous signups.