A feature designed to protect your real email address is apparently doing the opposite. A bug in Apple's "Hide Email Address" allows almost anyone to reveal the hidden address behind an alias – and Apple has left the problem unresolved for over a year.
"Hide My Email" is a feature of the paid iCloud+ subscription that generates random alias addresses and forwards messages to the actual mailbox. The feature is primarily intended for sign-ups and contact with third-party providers – it is meant to shield the real address from spam, data leaks, and unwanted identification. It is precisely this protection promise that has now started to wobble: security researchers have demonstrated a vulnerability that allows the real address behind such an alias to be determined. What is particularly explosive is not just the flaw itself, but the way it has been handled – because Apple was informed about it more than a year ago.
What the gap allows
At its core, this vulnerability undermines the very purpose of the function: instead of remaining anonymous, the underlying real address can be revealed. The severity of the problem is demonstrated by its extent – in tests with volunteers, all tested alias addresses proved vulnerable, i.e., 100 percent.
The technical details of the vulnerability are being deliberately withheld because it remains actively exploitable. The problem was independently verified this week using an address generated by the feature. The fact that a privacy feature can be circumvented in this way is all the more serious because many users rely on it precisely because of this promise (via 404Media).
A year without a solution
The vulnerability was discovered and responsibly reported by security researcher Tyler Murphy, co-founder of the EasyOptOuts service. He informed Apple in June 2025, including instructions on how to reproduce the problem. Apple acknowledged receipt a month later and stated that it was investigating the matter.
The process then dragged on for months. In March 2026, Apple informed the researcher that they had fixed the reported problem with a recent system change - but the vulnerability was still open. Murphy provided further information, whereupon Apple again stated that they were still investigating. In May, the pattern repeated itself: Apple asked that the vulnerability not be made public until the investigation was complete. Murphy's suggestion to temporarily suspend the creation of new alias addresses to limit the risk to customers apparently went unheeded. At the end of May, Apple finally announced that they intended to fix the problem with a security update expected in the coming weeks.
After more than a year without a fix, the researcher decided against further delay. According to him, users deserved to know that attackers might be able to determine their normally hidden addresses.
Why this is sensitive for those affected
The real danger lies less in the revealed email address itself than in what can be deduced from it. Numerous freely accessible personal databases allow an email address to be linked to further personal details. Anyone who relies on "hiding their email address" for security reasons - for example, to protect their identity - could be more exposed than they realize.
This feature is rightly considered one of the most effective methods for protecting your real email address in everyday use by using a separate, disposable address for each service. This very trust is called into question by the vulnerability. To make matters worse, Apple recently migrated the alias addresses to a separate domain called "private.icloud.com" - a move that unintentionally makes it easier for platforms to selectively block iCloud aliases.
A data privacy feature under pressure
This case hits Apple where it hurts, as data privacy has been a key selling point for the company for years. Leaving a feature designed to deliver on this promise vulnerable for over a year hardly aligns with this claim. Until the announced security update is released and demonstrably closes the vulnerability, the situation remains unsatisfactory for everyone who relies on the "hide email address" protection. Whether the promised fix will hold this time remains to be seen – after all, Apple had already announced a fix once before, but the problem wasn't actually resolved. (Image: Apple)
- iOS 26.6 is approaching: When will Apple release the update?
- Claude Fable 5 returns: USA lifts export ban
- Tim Cook is seeking a way forward for Siri AI with the EU
- Anthropic presents Claude Sonnet 5
- Apple Creator Studio is getting a major AI update
- Supreme Court accepts Apple's appeal in the Epic dispute
- Netflix requires a separate email address for each profile
- UK plans to open Apple's App Store following the EU model
- Three AirDrop vulnerabilities discovered – Apple makes improvements
- Leaked iPhone 18 Pro videos disappear again
- Apple is bringing forward security updates due to AI threat
- OpenClaw brings its AI agent to the iPhone as an app
- iPhone 18 Pro drop tests surface on the dark web
- iOS 26.5.2, iPadOS 26.5.2 and macOS 26.5.2 are here
- iOS 26.6 Beta 3: Apple nears completion
- WhatsApp: Usernames can now be reserved
- Apple acquires the award-winning design tool Play
- Indian antitrust case: Apple accuses the authority of plagiarism
- Apple and Chinese storage: Approval is likely to be difficult
- Apple is seeking approval for Chinese storage devices
- The US partially releases Claude Mythos 5



