Apple’s Hide My Email may not be hiding your real address

Apple’s Hide My Email feature is supposed to keep your personal inbox out of reach. You sign up for a service, hand over a randomly generated address, and your real email stays hidden. But according to a new report, there may be a flaw that breaks that promise entirely.

As reported by Engadget, citing a 404 Media investigation, a vulnerability in Hide My Email may allow attackers to connect users’ real email addresses to their anonymous Apple-generated ones. If that’s accurate, anyone using the feature to avoid spam, dodge data brokers, or protect themselves from future breaches may have been getting a false sense of security.

Hide My Email is part of the iCloud+ subscription tier. It’s one of Apple’s more practical privacy tools, and a lot of users rely on it specifically because they don’t trust every website or app they sign up for. A flaw that undermines it entirely is a serious problem.

The people who found the issue are the team at EasyOptOuts, a service that helps people remove their personal information from data broker sites. CEO Tyler Murphy says his team contacted Apple about the vulnerability roughly a year ago and explained how to reproduce it. Apple apparently responded at different points that it was looking into the issue, that a fix was in progress, or that one had already been rolled out.

None of that appears to have resolved things. Murphy and 404 Media reporter Joseph Cox were both able to exploit the flaw while reporting the story. To protect Apple users, neither the article nor this report includes the specific technical details of how the exploit works.

Murphy was direct about why his team decided to go public now. “We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer,” he told 404 Media. “Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.”

The scope of the problem is still unclear, but Murphy’s early testing paints a troubling picture. In limited tests conducted with volunteers, every single Hide My Email address they checked was exploitable. That’s a 100 percent hit rate, though Murphy acknowledged those tests were small in scale.

This lands at a difficult moment for privacy-focused tech features. More people than ever are using tools like alias email addresses, private browsing modes, and tracker blockers specifically because they’ve lost confidence in how companies handle their data. A vulnerability in one of Apple’s marquee privacy tools feeds directly into that skepticism.

Apple has not yet publicly commented on the issue. Engadget says it reached out to the company and will update its coverage if a response comes in. Until Apple addresses this officially, Hide My Email users should be aware that the feature may not offer the protection they’re counting on.