Apple's 'Hide My Email' Reportedly Exposes Your Real Email Address

TL;DR

A vulnerability in Apple’s ‘Hide My Email’ feature allows bad actors to uncover users’ real email addresses. Apple has known about the issue since mid-2025 and is reportedly working on a fix. The flaw raises privacy and security concerns for users relying on the feature.

Apple’s ‘Hide My Email’ feature, designed to protect user privacy by generating anonymous email aliases, has a security flaw that can expose users’ real email addresses to malicious actors. This vulnerability, reported by 404 Media, has been known to Apple since June 2025 and is still unpatched as of July 2026, raising concerns about the effectiveness of the privacy tool.

According to reports, bad actors can exploit the ‘Hide My Email’ feature by using free, publicly accessible people-search sites to discover the real email addresses behind aliases. The flaw was tested by Lifehacker and other researchers, who found that within minutes of receiving an alias, they could retrieve the actual email address associated with it. This vulnerability affects users who rely on ‘Hide My Email’ for privacy, especially when signing up for third-party services or online accounts.

Apple responded to the reports by confirming it was aware of the issue since June 2025 and had been investigating it. The company announced a patch in March 2026 but, according to recent reports, the flaw persists as of July 2026. Apple is reportedly continuing its investigation, with some sources indicating that a fix may still be in development.

At a glance
updateWhen: ongoing; publicly reported in July 2026…
The developmentSecurity researchers have identified a flaw in Apple’s ‘Hide My Email’ that exposes users’ actual email addresses through public search sites.

Potential Privacy Risks for ‘Hide My Email’ Users

This flaw undermines the primary purpose of ‘Hide My Email,’ which is to protect user identities and prevent exposure of personal contact information. If malicious actors can uncover real addresses, it could lead to targeted phishing, spam, or identity theft. The issue also questions the reliability of Apple’s privacy claims, especially as the company prepares to change the alias domain, which could further reduce the feature’s effectiveness.

Amazon

privacy screen protectors for iPhone

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background and Previous Concerns About ‘Hide My Email’

‘Hide My Email’ was introduced as part of Apple’s broader privacy initiatives, allowing users to generate random email addresses that forward to their real inboxes. The feature is widely used by privacy-conscious users to avoid sharing personal email addresses with untrusted services. In recent weeks, reports emerged that Apple plans to change the domain of these aliases from @icloud.com to @private.icloud.com, which could make it easier for automated systems to identify aliases and reduce their anonymity. The vulnerability’s discovery adds to growing concerns about the feature’s robustness and Apple’s handling of privacy protections.

“Almost anyone can use publicly accessible search sites to uncover the real email address behind a Hide My Email alias.”

— an anonymous researcher

Amazon

email alias protection tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Extent and Impact of the Vulnerability Still Unclear

While tests indicate the vulnerability is real and exploitable, the full scope of affected users and potential damage remains unclear. Apple has not disclosed detailed technical information or the number of users impacted, and it is not yet confirmed how widespread or persistent the flaw is across different alias types or account setups.

Amazon

secure email forwarding services

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Expected Timeline for Fixes and Policy Changes

Apple is expected to continue its investigation into the vulnerability, with a possible software update or patch in the coming weeks or months. Additionally, the company may delay or modify its plans to change the alias domain to @private.icloud.com, which could further influence the feature’s security and user privacy. Users are advised to remain cautious and monitor official updates.

Amazon

anti-phishing email security

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Can my real email address be exposed through ‘Hide My Email’?

Yes, if exploited, the vulnerability can allow bad actors to discover your actual email address associated with a ‘Hide My Email’ alias, especially using publicly accessible search sites.

Has Apple acknowledged this flaw?

Yes, Apple has been aware of the issue since June 2025 and has confirmed ongoing investigations, with plans to address it in future updates.

Will the upcoming change to alias domains make the feature less secure?

Potentially, yes. Changing alias domains to @private.icloud.com could make it easier for automated systems to identify and block these aliases, reducing their effectiveness for privacy.

Should I stop using ‘Hide My Email’ until the issue is fixed?

It is advisable to remain cautious and stay updated on official Apple advisories. Users should consider alternative privacy measures if they are concerned about exposure.

When might a fix or update be available?

There is no official timeline yet, but Apple is expected to release a patch within the next few weeks or months as investigations continue.

Source: Lifehacker

You May Also Like

Majority of Americans Support Ban on Surveillance Pricing and Electronic Shelf Labels

A new survey shows 68% of Americans oppose surveillance-based pricing and electronic shelf labels, citing concerns over price hikes and privacy.

Tracking for Recovery vs Real-Time Intervention

A comparison of tracking for recovery and real-time intervention reveals different strategies for managing progress and crises—discover which approach suits your needs best.

Digital Sovereignty Becomes an Imperative as the US Reads Dutch Emails

The US reportedly accessed unredacted emails of Dutch officials, raising urgent questions about data control and sovereignty amid cross-border legal pressures.

Fable 5 Is Back. GPT-5.6 Is Next. And Anthropic Reportedly Already Has Something Stronger.

Anthropic is restoring Claude Fable 5 after U.S. export controls were lifted, while GPT-5.6 remains gated and a stronger Anthropic model is rumored.