A vulnerability in Apple’s Hide My Email service can allow almost anyone to discover your real email address that is hidden behind a generated alias, according to 404 Media. The report says Apple has not addressed the flaw, even though it was reported more than a year ago.
While the publication is not providing technical details about the vulnerability, as it is still in the wild, it has verified the issue this week with one of its own Hide My Email addresses. Multiple tests by the researcher who discovered the flaw show that any Hide My Email address was vulnerable to the flaw.
Hide My Email is an iCloud+ feature that allows users to generate random alias email addresses, hiding their real email address when signing up for online services or when emailing third parties. The feature is promoted as a way for a user to protect their real email address from spam, data breaches, and unwanted identification.
Tyler Murphy, co-founder of EasyOptOuts, discovered the issue and reported it to Apple back in June 2025, along information on how to replicate it. Apple acknowledged the report a month later and said it was investigating.
Murphy said:
Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.
Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk.
In March of this year, Apple reported to Murphy that it had “addressed the reported issue in a recent system change.” However, when Murphy checked, he found the flaw had not been closed. He provided further information to Apple, which replied again to say it was still investigating.
Then, in May, Apple once again told Murphy that the issue was still being investigated, requesting that he not share it publicly until they were finished looking into the matter. At that time, Murphy suggested that Apple not allow users to create new Hide My Email addresses until the flaw was fixed. Apple did not respond. However, by the end of May, Apple told him that it expected to address the issue in a security update “expected in the coming weeks.”
“Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk,” Murphy noted.
Apple did not respond to multiple requests for comment from 404 Media.