The Vulnerability in Apple’s Privacy Feature
A security researcher has uncovered a flaw in Apple’s Hide My Email service that can potentially reveal a user’s real email address, undermining the feature’s core privacy promise. Designed to generate unique, random email aliases that forward to a personal inbox, Hide My Email is meant to keep the true address hidden from websites and apps. The researcher, Tyler Murphy of EasyOptOuts, reported the issue to Apple in June 2025 but says it remains unpatched more than a year later.
When Murphy reached out again in May 2026, Apple acknowledged the issue and requested he not disclose details until an investigation was complete. The company indicated a fix would arrive in a security update within weeks, but that timeline passed without a patch. Murphy then contacted 404 Media, which independently verified the vulnerability without publishing technical specifics to prevent exploitation.
Wider Implications and Current Advice
Complicating matters, Apple recently announced it will move Hide My Email addresses to the @private.icloud.com domain. This change makes it easier for services to identify and potentially block alias addresses during sign up, reducing the feature’s usefulness even before the underlying flaw is addressed.
Until Apple releases a security update, users should not rely solely on Hide My Email to protect their real email address. Using unique aliases for each service remains a strong privacy practice, as it helps trace data breaches and allows disabling a compromised alias without affecting the main inbox. Users are advised to monitor for Apple’s promised fix and consider alternative methods for email privacy in the meantime.
Source: Malwarebytes

