Apple’s Hide My Email doesn’t hide it very well

| July 2, 2026
iPhone displaying Apple logo

404 Media reports that a researcher has found a vulnerability in Apple’s Hide My Email feature that could allow someone to discover a person’s real email address.

That’s especially concerning because protecting your real email address is exactly what the feature is designed to do. 404 Media did not publish technical details of the vulnerability to avoid helping attackers exploit it, but said it independently verified that the issue works.

Hide My Email generates:

“Unique, random email addresses that automatically forward to your personal email inbox. Each address is unique to you. You can read and respond directly to emails sent to these addresses and your personal email address is kept private.”

Instead of giving a website or app your real email address when you sign up, you can give it one of these randomly generated addresses. Messages are forwarded to your normal inbox, but the sender shouldn’t be able to see your real email address. At least, that’s how it’s supposed to work.

Tyler Murphy, co-founder of EasyOptOuts, discovered and reported the issue to Apple in June 2025. More than a year later, he says the vulnerability still hasn’t been fixed.

When Murphy reached out to Apple again in May, he received the following response:

“We are still investigating this issue. To avoid placing our customers at risk, we would appreciate you not disclosing this information until our investigation is complete. We appreciate your assistance in helping us to maintain and improve the security of our products.”

Murphy suggested Apple should stop promoting the feature until it could be fixed. Apple reportedly told him it expected to address the issue in a security update in the coming weeks. When that failed to happen, Murphy decided to reach out to 404 Media.

Instead, we learned a few weeks ago that Apple plans to make the Hide My Email less useful for some users. In a note to developers, the company said it will move anonymously generated email addresses to the @private.icloud.com domain. Effectively, this makes it easier for apps and websites to recognize that an email address was created with Hide My Email and potentially refuse to accept it during the sign-up process.

What you can do

Using a different email address for every website or service is still good privacy practice. It makes it easier to identify which company exposed your address in a data breach, and you can simply stop using a compromised alias without changing your main email address.

However, until Apple fixes the issue, you shouldn’t rely on the Hide My Email feature as the only way to keep your real email address private.

Meanwhile, keep an eye open for Apple’s promised security update.


Browse like no one’s watching. 

Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free → 

About the author

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.