Index  ›  science  ›  Gizmodo Science

Apple’s ‘Hide My Email’ Feature May Reveal Users’ Real Addresses

Gizmodo Science Published Jul 1, 2026 Reviewed Jul 3, 2026 ✓ Reviewed by citations.press editors
Citation-ready fact
Apple was first notified about the Hide My Email vulnerability by EasyOptOuts co-founder Tyler Murphy in June 2025.
2025 · date of first notification of Hide My Email vulnerability
View source ↗
Citation-ready fact
Apple changed Hide My Email email address generation from the @icloud.com domain to the @privaterelay.appleid.com domain, according to TechCrunch.
1 domain change · Hide My Email domain change from @icloud.com to @privaterelay.appleid.com
View source ↗
Citation-ready fact
The privacy company EasyOptOuts discovered a vulnerability in Apple’s Hide My Email feature that allowed its co-founder Tyler Murphy to connect a generated Hide My Email alias to the corresponding Apple account in about five minutes.
about 5 minutes · time to connect Hide My Email alias to Apple account
View source ↗
Citation-ready fact
The privacy company EasyOptOuts discovered a vulnerability in Apple’s Hide My Email feature that allowed its co-founder Tyler Murphy to uncover a user’s real email address in about five minutes by generating a Hide My Email alias and sharing it with Murphy.
about 5 minutes · time to uncover real email address
View source ↗
Citation-ready fact
Apple reported in May 2026 that it planned to fix the Hide My Email vulnerability in a future update 'in the coming weeks'.
2026 · date Apple committed to fixing Hide My Email vulnerability
View source ↗
Citation-ready fact
Apple told EasyOptOuts co-founder Tyler Murphy in March 2026 that the Hide My Email vulnerability had been addressed in a recent system change, but Murphy verified the vulnerability remained unfixed.
2026 · date Apple claimed the Hide My Email vulnerability was fixed
View source ↗
Citation-ready fact
Apple was first notified about the Hide My Email vulnerability by EasyOptOuts co-founder Tyler Murphy in June 2025, responded in July 2025, falsely claimed it was fixed in March 2026, and as of May 2026 had not patched the issue despite promising a fix 'in the coming weeks'.
1 year · duration Apple knew about the vulnerability without fixing it
View source ↗
Citation-ready fact
Apple changed Hide My Email to generate anonymous email addresses using the @privaterelay.appleid.com domain instead of @icloud.com, a change TechCrunch reported could make it easier for websites to block anonymous signups.
1 domain change · Hide My Email domain migration
View source ↗

It turns out one of Apple’s privacy features may not be as secure as users thought.

Apple’s Hide My Email feature currently has a vulnerability that can reveal users’ real email addresses, 404 Media reports.

Hide My Email is an iCloud+ feature that lets users create unique, random email addresses when signing up for apps, websites, and other online accounts. Messages sent to those addresses are then automatically forwarded to the user’s real inbox.

On its support page, Apple says Hide My Email is designed to let users keep their “personal email address private.”

But the privacy company EasyOptOuts told 404 Media that it discovered a vulnerability in the service that could let someone uncover the real email address tied to a Hide My Email alias.

404 Media did not disclose details of the exploit because the bug has not yet been fixed. However, the outlet verified the vulnerability by generating a Hide My Email address and sharing it with EasyOptOuts co-founder Tyler Murphy.  Murphy was then able to connect the anonymous email to the corresponding Apple account in about five minutes.

The most shocking part is that Apple has reportedly known about the issue for more than a year and still has not fixed it.

“Apple Hide My Email is leaking email addresses that are supposed to be hidden,” Murphy told 404 Media. “We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.”

Murphy added that publicly accessible people-search sites make it easy for potential attackers to connect the leaked email addresses to users’ other personal details.

According to 404 Media, Murphy first notified Apple about the issue in June 2025. Apple responded a month later and said it was looking into the issue. Then, in March of this year, Apple reportedly told Murphy that the issue had been addressed in a recent system change. Murphy, however, found that the vulnerability was still not fixed.

In May, Apple reportedly asked Murphy not to disclose the exploit because it was still investigating. By the end of that month, Apple said it planned to fix the issue in a future update “in the coming weeks.”

Apple did not immediately respond to a request for comment.

News of the bug also comes shortly after Apple made a change to Hide My Email that could make the feature less effective.

TechCrunch reported last month that Apple told developers it’s going to stop generating these anonymous emails with the @icloud.com domain and instead use @private.icloud.com. Apple’s support page now says the email addresses are being created with a @privaterelay.appleid.com domain. TechCrunch pointed out that this change would make it easier for websites to block the use of these anonymous signups.

Stay cool and enjoy the long, sunny days ahead with these gadgets to upgrade your life this summer and beyond.

The U.S. Supreme Court agreed to hear Apple’s appeal in a case dealing with App Store fees.

10 years from now, you're going to regret not parking that username.

You won't get next-generation performance with your next-gen MacBook display. At least not until 2027.

From pro-AI candidates losing primaries in Utah to bans in New Jersey, the backlash against data centers is growing.

Apple veteran Julian Hoenig has a vision for the future of short-range rides.

This article was originally published by Gizmodo Science ↗. citations.press indexes the source-backed facts above and links to the original. Something wrong? Corrections policy · Report an error