One of Apple’s major bugs appears to be revealing all real emails to Hide My Email users.


A not-so-small vulnerability in Apple’s Hide My Email feature allows malicious actors to see anyone’s real email address, according to reports Wednesday.

Co-Founder of Easy unsubscribe servicetyler murphy, Who spoke to 404 MediaHe said Apple had been aware of the problem for more than a year but had not yet fixed the flaw.

Hide my email address iCloud Plus service (starts at $1 per month), and offers tools similar to Any disposable or temporary email site. It lets you create an anonymous email address with an icloud.com domain to use when you don’t want to share your real email address. The nickname then expires after a specified period of time.

These email aliases are popular to ensure privacy when registering For new website or app accountsOr test coupons or download free versions of software or trial software. If this service is later hacked, your real email will not be at risk.

Although Murphy did not provide details on how the vulnerability works, he did tell 404 Media that Easy Opt Out conducted tests with volunteers and that 100% of Hide My Email addresses could be used to Reveal the real address With basic identity search sites available to anyone. 404 media It did not disclose details of the security issue because it could still be exploited at the time of preparing its report.

Murphy reported that he notified Apple of the issue in June 2025. In March 2026, Apple said it had addressed the issue, but Murphy found that the vulnerability still existed.

By May 2026, Apple reported that it was still investigating the issue and requested that Murphy not be made public, saying: “To avoid putting our customers at risk, we would appreciate not disclosing this information until our investigation is complete.” Murphy disagreed and unveiled his findings.

An Apple representative did not immediately respond to CNET’s request for comment.

If you’re using Hide My Email, you may want to stop now. Stay tuned over the next few months, too Apple news report He says the tech giant plans to update the tool this summer. One of these updates includes changing the domain from “icloud.com” to “private.icloud.com”.

We’re not sure why Apple made this domain change, but it may make it easier for websites to automatically block any address that includes “private.icloud.com,” which could prompt people to share their real email addresses instead of using an alias. This would significantly reduce the value of the feature.



Leave a Reply

Your email address will not be published. Required fields are marked *