


Apple's much-lauded 'Hide My Email' feature that's exclusive to the iCloud+ subscription could actually be putting your privacy at risk, as an investigation reveals how almost anyone can find out your real email address by using the one Apple generates to hide it.
This is a significant vulnerability for a tool that has a singular purpose to prevent people from finding out your real email, and it also appears as if Apple isn't doing enough to deal with the risk despite being informed of the dangers over a year ago.
As reported by 404 Media, the vulnerability – which has been kept a secret to prevent the issue from escalating even further – was discovered by Tyler Murphy, co-founder of EasyOptOuts, a personal data removal service.
He originally informed Apple of the issue back in June 2025, where the tech giant urged him not to disclose any information publicly to avoid putting customers at risk, but now that a year has passed without any resolution, he felt the need to go public to warn people.
Addressing the vulnerability, Murphy outlines that Hide My Email is "leaking email addresses that are supposed to be hidden [...] We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses."
Advert

It appears to revolve around the availability of 'people-search sites' that can link an email address to other personal data, effectively exposing seemingly private addresses as being associated with not only your real account, but also potentially other personal data.
It's impossible to know the true scale of an issue through isolated, small-scale tests — but it appears as these unilaterally exposed the vulnerability at hand.
"We don't know the full scope of the issue," Murphy illustrated, "but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable."
Beyond this incredibly worrying vulnerability that counters the entire point of Hide My Email as a service, in an ideal world it is supposed to anonymize your email account by providing a 'fake' address that routes and forwards all emails back to your actual inbox.
It usually takes the format of two random words, a bunch of numbers, and then the '@icloud.com' suffix, making it effectively impossible for companies and individuals to tell when you're faking an address and what the account behind it actually is — at least, until now.

It's incredibly useful for anyone wanting to avoid giving out any personal information – as that could come back to bite you in the event of a data breach – and it could also help you avoid any spam coming your way.
Beyond the more pressing vulnerability currently plaguing the service, many Apple users were also shocked to discover recent plans to change the domain that is associated with addresses generated by Hide My Email, making it far easier for companies to block accounts trying to use the feature.
Outlined by TechCrunch, Apple seemingly now plans to end all generated addresses with '@private.icloud.com', not only making it clear when someone is hiding their email but also providing an easy route for filtering.
Combine this with a vulnerability that lets pretty much anyone discover the true email hiding behind the masquerade, and you've got an issue that just got even more worrying for anyone looking to use Hide My Email.