Apple’s Hide My Email May Expose Real Addresses, Privacy Promise Under Scrutiny

Apple’s Hide My Email feature is facing a serious question: a tool designed to protect users’ identities may be able to reveal the real email address behind it. The issue matters because the feature is built for everyday privacy, from signing up for services to filling out web forms and subscribing to newsletters.

According to 404 Media, the vulnerability could allow anyone to uncover an email address that was supposed to stay hidden. The report also says Apple has known about the issue, yet an effective fix has not been confirmed.

How the feature is supposed to work

Hide My Email is available to iCloud+ subscribers and creates random @icloud.com addresses for use online. Messages sent to those addresses are then forwarded to the user’s personal inbox, so the primary email does not need to be shared directly.

That design makes the feature one of Apple’s privacy tools that users may rely on most. It also means any flaw that exposes the real address cuts directly against the purpose of the service.

FeatureIntended privacy roleReported issue
Hide My EmailUses random @icloud.com addresses instead of the user’s main inboxMay expose the original email address
iCloud+Subscription service that includes the featureThe privacy tool is part of a paid plan

What researchers say

The problem was identified by Tyler Murphy, co-founder of Easy Opt Out. Murphy says Apple was informed about the issue as early as June 2025, but no final fix has been rolled out so far.

He also says users should understand that attackers may be able to discover the hidden email addresses behind the service. Murphy argued that it was uncomfortable to keep waiting without warning the public while the repair remained incomplete.

404 Media said it independently verified the problem and found it could still be exploited through June 30. That verification strengthens the concern that the issue is not merely theoretical and may still be active.

Murphy added that his team sent Apple a report and reproduction steps more than a year ago. He also said a limited test with volunteers suggested “100 percent” of protected emails could be exploited, although the scope of the issue has not been fully mapped.

Why the risk matters for users

If the finding holds across a wider set of users, the main risk is the loss of digital identity protection that Hide My Email promises. People who use random addresses to avoid tracking, spam, or exposure of their personal inbox could lose the main benefit of the feature.

That concern is sharper because Hide My Email sits inside iCloud+, a paid service. In India, iCloud+ starts at 75 per month for 50GB, which makes the privacy promise especially important for subscribers who pay for the added protection.

Apple’s response remains incomplete

Apple reportedly acknowledged the issue the month after the initial report was received and said it was investigating. The company later told Murphy in March 2026 that the problem had been addressed in a recent system update.

Murphy then found that the vulnerability had not actually been fixed and sent additional details back to Apple. Later in the same month, Apple said the investigation was still ongoing, and in May the company again said review of the issue was continuing.

The repeated back-and-forth shows that Apple has reviewed the problem more than once, but there is still no confirmed sign that the reported exposure has been fully closed. For users who depend on Hide My Email, that leaves an uncomfortable gap between the privacy promise and the current state of the feature.

Until a verified fix is confirmed, the feature remains under scrutiny as one of Apple’s most visible privacy tools. For now, the question is not whether Hide My Email is useful, but whether users can still trust it to keep their real address hidden.

Source: www.gadgets360.com

Related