TL;DR
A vulnerability in Apple’s ‘Hide My Email’ feature allows bad actors to uncover users’ real email addresses. Apple has known about the issue since mid-2025 and is reportedly working on a fix. The flaw raises privacy and security concerns for users relying on the feature.
Apple’s ‘Hide My Email’ feature, designed to protect user privacy by generating anonymous email aliases, has a security flaw that can expose users’ real email addresses to malicious actors. This vulnerability, reported by 404 Media, has been known to Apple since June 2025 and is still unpatched as of July 2026, raising concerns about the effectiveness of the privacy tool.
According to reports, bad actors can exploit the ‘Hide My Email’ feature by using free, publicly accessible people-search sites to discover the real email addresses behind aliases. The flaw was tested by Lifehacker and other researchers, who found that within minutes of receiving an alias, they could retrieve the actual email address associated with it. This vulnerability affects users who rely on ‘Hide My Email’ for privacy, especially when signing up for third-party services or online accounts.
Apple responded to the reports by confirming it was aware of the issue since June 2025 and had been investigating it. The company announced a patch in March 2026 but, according to recent reports, the flaw persists as of July 2026. Apple is reportedly continuing its investigation, with some sources indicating that a fix may still be in development.
Potential Privacy Risks for ‘Hide My Email’ Users
This flaw undermines the primary purpose of ‘Hide My Email,’ which is to protect user identities and prevent exposure of personal contact information. If malicious actors can uncover real addresses, it could lead to targeted phishing, spam, or identity theft. The issue also questions the reliability of Apple’s privacy claims, especially as the company prepares to change the alias domain, which could further reduce the feature’s effectiveness.
privacy screen protectors for iPhone
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background and Previous Concerns About ‘Hide My Email’
‘Hide My Email’ was introduced as part of Apple’s broader privacy initiatives, allowing users to generate random email addresses that forward to their real inboxes. The feature is widely used by privacy-conscious users to avoid sharing personal email addresses with untrusted services. In recent weeks, reports emerged that Apple plans to change the domain of these aliases from @icloud.com to @private.icloud.com, which could make it easier for automated systems to identify aliases and reduce their anonymity. The vulnerability’s discovery adds to growing concerns about the feature’s robustness and Apple’s handling of privacy protections.
“Almost anyone can use publicly accessible search sites to uncover the real email address behind a Hide My Email alias.”
— an anonymous researcher
email alias protection tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Extent and Impact of the Vulnerability Still Unclear
While tests indicate the vulnerability is real and exploitable, the full scope of affected users and potential damage remains unclear. Apple has not disclosed detailed technical information or the number of users impacted, and it is not yet confirmed how widespread or persistent the flaw is across different alias types or account setups.
secure email forwarding services
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Expected Timeline for Fixes and Policy Changes
Apple is expected to continue its investigation into the vulnerability, with a possible software update or patch in the coming weeks or months. Additionally, the company may delay or modify its plans to change the alias domain to @private.icloud.com, which could further influence the feature’s security and user privacy. Users are advised to remain cautious and monitor official updates.
anti-phishing email security
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Can my real email address be exposed through ‘Hide My Email’?
Yes, if exploited, the vulnerability can allow bad actors to discover your actual email address associated with a ‘Hide My Email’ alias, especially using publicly accessible search sites.
Has Apple acknowledged this flaw?
Yes, Apple has been aware of the issue since June 2025 and has confirmed ongoing investigations, with plans to address it in future updates.
Will the upcoming change to alias domains make the feature less secure?
Potentially, yes. Changing alias domains to @private.icloud.com could make it easier for automated systems to identify and block these aliases, reducing their effectiveness for privacy.
Should I stop using ‘Hide My Email’ until the issue is fixed?
It is advisable to remain cautious and stay updated on official Apple advisories. Users should consider alternative privacy measures if they are concerned about exposure.
When might a fix or update be available?
There is no official timeline yet, but Apple is expected to release a patch within the next few weeks or months as investigations continue.
Source: Lifehacker