A vulnerability was discovered in Apple's "Hide My Email" that allows an attacker to work out your real email address. It's not been fixed for over a year.
Hide My Email has been a great help for Apple users who need to communicate with services and companies, but don't want to provide their real email address. Spam, as ever, continues to be a problem requiring solutions like this.
However, while it is capable of thwarting your typical spammer or marketing-happy small business, it's not foolproof. As a report from 404Media reveals, it's a feature that can be beaten.
The exact nature of the vulnerability hasn't been detailed, due to the lack of action by Apple to fix it. Testing on Monday by the report verified that it is still a problem.
EasyOptOuts co-founder Tyler Murphy discovered an issue with Hide My Email in June 2025, and responsibly reported it to Apple as well as the publication. Twelve months later, and the problem still exists.
Murphy explains that the issue was reported and instructions to replicate it where provided to Apple. He doesn't know why it hasn't been fixed, but also didn't feel comfortable waiting to discuss the problem any longer.
"Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses," he declared.
There are free websites accessible to the public that link email addresses to other personal details, he adds. Anyone relying on Hide My Email may find themselves at risk of being identified on them.
Under Investigation
While Apple hasn't yet fixed the hole in Hide My Email, it is certainly aware of the problem. One month after Murphy contacted Apple, it confirmed it was looking into the issue.
In March 2026, Apple said it had "addressed the reported issue in a recent system change." However, Murphy discovered the hole hadn't been plugged.
Again, more information was provided to Apple, which replied a month later saying it was doing more checks.
Apple updated Murphy in May, insisting it was "still investigating" the problem. It also wished for Murphy to hold off disclosing the problem until after the investigation concluded.
Murphy wrote back, proposing that Apple could stop selling access to Hide My Email until a fix was available, as a means to limit the number of users at risk.
By the end of May, Apple said that it would be addressed in a security update "expected in the coming weeks."
After being alerted by Murphy, the publication contacted Apple multiple times, but did not get a response.
Questionable changes
While it is unknown exactly when and how the vulnerability will be fixed, it may end up accompanying other changes to the service. These are changes that have questionable value to its users.
A June 15 developer notice warned that the email domains used for Sign In with Apple and Hide My Email will be updated in the future. The intention is for email providers and developers to update their systems in advance of the changeover.
The changes basically mean that newly-generated relay email addresses for Hide My Email will change from the domain iCloud.com to private.icloud.com. Sign In With Apple currently creates relay addresses ending with privaterelay.appleid.com, and will change to the private.icloud.com version.
The problem here is that there's nothing stopping a website or newsletters from blocking email addresses using private.icloud.com, forcing them to sign up with another legitimate account.
For Hide My Email at least, the change removes the source ambiguity protecting the service and its users.








