Apple Hide My Email Flaw Exposes Real Addresses, Unpatched Over a Year
Apple’s Hide My Email privacy feature, a cornerstone of iCloud+’s anonymity protections, currently faces a significant security flaw that may allow attackers to unmask users’ real email addresses.
According to reporting from 404 Media and independent security tests, this vulnerability has reportedly gone unaddressed for over a year despite being disclosed to Apple.
Hide My Email generates disposable, randomized email aliases that forward incoming messages to a user’s primary inbox.
The feature lets individuals sign up for newsletters, apps, and online services without revealing their actual email address, serving as a lightweight anonymity layer built into iCloud+ subscriptions.
Apple Hide My Email Flaw Exposed
The reported vulnerability undermines this core function. Attackers who exploit the flaw can reportedly trace a disposable alias back to its real email address, defeating the feature’s purpose entirely. This exposure carries several downstream risks:
- Targeted phishing campaigns using confirmed real addresses
- Increased spam directed at previously hidden inboxes
- Cross-service tracking and identity correlation
- Account hijacking attempts using deanonymized credentials
Tyler Murphy, co-founder of EasyOptOuts, confirmed the flaw is reproducible. In testing with volunteers, Murphy reported that “100% of Hide My Email addresses were exploitable,” suggesting the issue isn’t an edge case but a systemic weakness in how the feature handles alias-to-address mapping.
404 Media independently verified the vulnerability using its own Hide My Email addresses, confirming the alias-to-real-address link could be traced.
However, the outlet deliberately withheld the technical methodology behind the exploit, citing concerns that publishing exact steps could accelerate widespread abuse before Apple ships a fix.
Researchers reportedly notified Apple of the vulnerability in 2025. As of this reporting, no patch has been issued, and the flaw remains exploitable more than a year after initial disclosure.
This extended delay is notable given that Hide My Email is marketed as a core privacy safeguard in iCloud+, rather than a peripheral or experimental feature, raising the stakes for affected users who may have assumed a stronger guarantee of anonymity.
The scope of impact extends beyond individual accounts. If attackers can systematically deanonymize Hide My Email aliases, they could:
- Compile targeted phishing lists using verified real addresses
- Link a user’s separate online identities across unrelated services
- Deanonymize users who relied on the feature for sensitive registrations
This kind of correlation attack is particularly dangerous for users who used Hide My Email specifically to compartmentalize high-risk or sensitive accounts, such as dating apps, financial services, or activism-related platforms.
Recommendations
Until Apple releases an official patch, security researchers advise treating Hide My Email as an incomplete anonymity solution rather than a guaranteed privacy shield.
- Avoid using Hide My Email for high-risk or sensitive account registrations
- Monitor primary inboxes for unusual phishing attempts or spam patterns
- Review which services are tied to existing aliases and assess exposure risk
- Consider alternative email masking services with stronger vulnerability disclosure records
No Comment! Be the first one.