WTF?! Apple's Hide My Email tool has long been considered one of the company's best privacy features, but it might not be as secure as Cupertino claims. A vulnerability uncovered by researchers appears to allow your real email address to be discovered by attackers.
Hide My Email, available through iCloud+, lets users create random addresses that forward messages to their real inbox.
The idea is that you can sign up for newsletters, apps, online stores, or any site giving off strong "we will sell this to 14 data brokers" energy without handing over your own email. If the alias starts attracting spam, you can deactivate it and move on.
According to 404 Media, privacy firm EasyOptOuts discovered a flaw that can link one of those supposedly anonymous aliases back to the user's real email address.
The outlet says it verified the issue by creating a new Hide My Email address and sending it to EasyOptOuts co-founder Tyler Murphy, who was able to identify the real Apple account email behind it in around five minutes.
The publication isn't revealing the technical details because the bug was still exploitable when it tested the vulnerability. While that helps users, it makes it harder to judge how easily the flaw could be abused.
Murphy said his company reported the problem to Apple more than a year ago, including instructions on how to reproduce it. Apple reportedly said in July 2025 that it was investigating, then told Murphy in March 2026 that the issue had been fixed through a system change. But he said he was still able to reproduce it.
Apple later asked Murphy not to disclose the flaw while it continued investigating, and said near the end of May that a fix was planned for a future update in the coming weeks. However, Murphy appears to have proved that the vulnerability is still present. Apple has not publicly commented.
Murphy said EasyOptOuts doesn't know how widespread the issue is, but in limited tests with volunteers, 100% of Hide My Email addresses were exploitable.
"We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses," Murphy told 404. He warned that once a real email address is exposed, people-search sites and data brokers can make it easier to connect it to names, phone numbers, relatives, home addresses, and other personal details.
