Apple's 'Hide My Email' Reportedly Exposes Your Real Email Address

TL;DR

Apple’s ‘Hide My Email’ feature has a vulnerability that allows malicious actors to uncover users’ real email addresses using free search sites. Apple is aware of the issue and has been investigating since June 2025. The flaw’s existence raises significant privacy concerns, especially as Apple plans to change alias domains, potentially reducing the feature’s effectiveness.

Apple’s ‘Hide My Email’ feature, designed to protect user privacy by hiding real email addresses behind aliases, has been found to contain a security flaw that can expose users’ actual email addresses to malicious actors. The vulnerability, reported by 404 Media, has been under investigation by Apple since June 2025, but remains unpatched as of July 2026. This issue is significant because it undermines a key privacy tool used by many Apple users to prevent data leaks and spam.

According to reports from 404 Media, the flaw allows bad actors to discover the real email address associated with a ‘Hide My Email’ alias by using free, publicly accessible people-search websites. The vulnerability was tested by the reporter, who found that within five minutes, an alias could be traced back to the user’s actual email address. Apple confirmed to Murphy, the researcher, that it was aware of the issue and had been investigating since June 2025. Despite multiple updates, the flaw remains unpatched, and Apple has requested that details not be disclosed publicly until a fix is implemented.

The problem is compounded by recent plans from Apple to change the domain of ‘Hide My Email’ aliases from @icloud.com to @private.icloud.com, which could make it easier for observers to identify these aliases as non-primary addresses, thereby reducing their effectiveness. Apple has yet to roll out this change, but it has raised concerns among privacy advocates and security experts.

At a glance
updateWhen: ongoing; publicly reported in July 2026…
The developmentA security vulnerability in Apple’s ‘Hide My Email’ feature can expose users’ real email addresses to bad actors, despite its intended privacy protections.

Impact on User Privacy and Security

This vulnerability threatens the core purpose of ‘Hide My Email’—to protect user identities and prevent unauthorized access to personal data. If malicious actors can uncover real email addresses, they could use this information for targeted phishing, spam, or other malicious activities. The flaw also raises questions about Apple’s commitment to user privacy, especially as the company prepares to modify the alias domain, potentially making it easier to identify users’ real addresses.

Amazon

privacy protection email alias

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background on ‘Hide My Email’ and Recent Changes

‘Hide My Email’ was introduced as part of Apple’s iCloud+ suite, allowing users to generate anonymous email aliases when signing up for services or communicating online. The feature has been widely adopted by privacy-conscious users to avoid spam and protect personal data. In recent weeks, reports emerged that Apple plans to change the alias domain from @icloud.com to @private.icloud.com, a move critics say could diminish the feature’s concealment capabilities, as the new domain explicitly indicates an alias, potentially increasing suspicion and blocking by third parties.

Apple has publicly acknowledged the investigation into the security flaw but has not yet announced a timeline for fixing it. The company’s previous response indicated ongoing efforts to resolve the issue, which has been under review since mid-2025.

“Almost anyone can use free search sites to discover the real email behind a Hide My Email alias.”

— an anonymous researcher

Amazon

secure email masking device

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Aspects of the Vulnerability

It is not yet clear when Apple will release a patch for the flaw, or whether the upcoming domain change will be implemented before the vulnerability is fixed. The full technical details of the exploit are also not publicly available, as Apple and the researcher have agreed to withhold specifics until a fix is in place. Additionally, the scope of affected users remains uncertain, though the vulnerability appears to be widespread.

Amazon

email privacy security tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in Addressing the Flaw and Policy Changes

Apple is expected to continue its investigation and aims to release a security update in the coming months. The company may also delay or modify its plans to change the alias domain to preserve the effectiveness of ‘Hide My Email.’ Privacy advocates and security experts will be watching closely for official announcements and patches. Users are advised to remain cautious about relying solely on this feature until the vulnerability is resolved.

Amazon

anonymous email service

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Can my real email address be uncovered through ‘Hide My Email’?

Yes, according to recent reports, malicious actors can use publicly accessible search sites to discover your real email address from your ‘Hide My Email’ alias, if exploited.

Has Apple acknowledged the vulnerability?

Yes, Apple confirmed to researchers that it has known about the flaw since June 2025 and has been investigating it since then. No fix has been issued as of July 2026.

Will the domain change affect the security of ‘Hide My Email’?

Potentially. Changing the alias domain to @private.icloud.com could make it easier for third parties to identify aliases, possibly reducing their effectiveness. Apple has not yet rolled out this change.

What should users do to protect themselves now?

Users should avoid relying solely on ‘Hide My Email’ for sensitive communications until the vulnerability is patched and should consider additional privacy measures.

Source: Lifehacker

You May Also Like

Fable 5 Is Back. GPT-5.6 Is Next. And Anthropic Reportedly Already Has Something Stronger.

Anthropic is restoring Claude Fable 5 after U.S. export controls were lifted, while GPT-5.6 remains gated and a stronger Anthropic model is rumored.

Battery Life vs Update Frequency: The Trade-Off Explained

Just balancing update frequency and battery life is tricky, but understanding the trade-off can help you optimize your device’s performance and security.

Digital Sovereignty Becomes an Imperative as the US Reads Dutch Emails

The US reportedly accessed unredacted emails of Dutch officials, raising urgent questions about data control and sovereignty amid cross-border legal pressures.

EFF to 4th Circuit: Electronic Device Searches at the Border Require a Warrant

The EFF and allies request the Fourth Circuit to require warrants for searches of electronic devices at borders, citing privacy concerns and legal standards.