Advertisement
Privacy

Apple ‘Hide My Email’ Vulnerability Reveals Peoples’ Real Email Addresses

”Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” the person who reported the issue said.
Apple ‘Hide My Email’ Vulnerability Reveals Peoples’ Real Email Addresses
Photo by Laurenz Heymann on Unsplash.

A vulnerability in Apple’s “Hide My Email” tool lets almost anyone discover a person’s real email address that is supposed to be hidden by the feature, and Apple has failed to fix it for more than a year, according to a security researcher and 404 Media’s own tests.

404 Media is not revealing the exact details of the vulnerability because it can still be exploited as of Monday, when 404 Media verified the issue with one of our own hidden email addresses.

”Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” Tyler Murphy, the co-founder of EasyOptOuts, which discovered and reported the issue to Apple, told 404 Media.

“Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk,” Murphy added.

💡
Do you know about any other privacy issues like this? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

Hide My Email is part of Apple’s paid iCloud+ product. It lets users generate an anonymous email address which they can then use to sign up to services or email people with instead of their personal email. These email addresses are often two random words and a number ending in the @icloud.com domain.

This can be useful for all sorts of reasons: to reduce spam; to create an account you may not want linked to your personal address and identity; and to not have your personal information held by a site that may later suffer a data breach. I personally have generated more than 400 email addresses with Hide My Email, for example.

To test the issue I generated a new Hide My Email address and provided it to Murphy. Around five minutes later, he replied with my real email address linked to my Apple account which was supposed to be hidden.

“We don't know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” Murphy said.

Murphy first reported this issue to Apple in June 2025, according to a copy of Murphy’s messages with Apple he shared with 404 Media. A month later, Apple replied and said it was looking into the issue. In March of this year, Apple said it had “addressed the reported issue in a recent system change.” But Murphy found the issue had not been fixed. He provided more information, and later that month Apple said again it was looking into it. Apple said it was still investigating in May.

“We are still investigating this issue. To avoid placing our customers at risk, we would appreciate you not disclosing this information until our investigation is complete. We appreciate your assistance in helping us to maintain and improve the security of our products,” Apple wrote in May.

“It seems that ending new sales of Hide My Email until the problem is fixed would be an effective way to limit the number of customers at risk. Is that an option?” Murphy wrote back.

At the end of May, Apple said it was planning to address the issue in a future security update “expected in the coming weeks.” Murphy then contacted 404 Media on Monday and provided details of the issue and his statement saying, “We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer.”

Apple did not respond to multiple requests for comment from 404 Media.

In June, TechCrunch reported Apple plans to make changes to Hide My Email that will make it significantly less effective. It will change generated email addresses from using the @icloud.com domain to @private.icloud.com, which means websites or services will be able to more more easily block signups from those addresses.

Advertisement