Peekaboo! Apple’s ‘Hide My Email’ Feature Is Leaking Real Addresses

A newly exposed, year-old vulnerability lets hackers peel back iCloud’s privacy shield
iOS 15 iCloud Hide My Email on iPad Jesse Hollington / iDrop News
Text Size
- +

Toggle Dark Mode

Researchers have discovered a potentially serious flaw in Apple’s “Hide My Email” that could reveal the real email addresses hidden behind the privacy shield.

While the details of the flaw haven’t been disclosed since the vulnerability still exists, the folks at 404 Media have confirmed its existence and were able to successfully exploit it in every one of their test cases.

To make matters worse, this issue — and the specific details on how it could be replicated — was reported to Apple over a year ago, and still hasn’t been fixed, according to Tyler Murphy, the co-founder of EasyOptOuts, which first discovered the flaw and filed the report with Apple.

Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.

Tyler Murphy, EasyOptOuts

Apple introduced Hide My Email in 2021 as part of its iOS 15 update, although it’s predominantly a back-end iCloud service. While all iCloud users were able to set it up during the beta period, it ultimately requires a paid iCloud+ subscription — although any pricing tier is eligible.

As the name implies, Hide My Email obscures your real email address by generating a random one that can be handed out instead. Messages sent to that address are automatically forwarded to your real email address, and if you’re an iCloud user, it will even be automatically used for replies.

At least that’s how it’s supposed to work. Even before this flaw was brought to light, there were several scenarios where your real email address could slip out if you weren’t careful. Chief among these was replying to an email sent to a Hide My Email address from an email client that didn’t know it was supposed to be using that as the “From” address. This could even happen with some built-in iOS services outside of the Mail app.

Further, while Hide My Email doesn’t require users to be iCloud users — hidden addresses can be forwarded to any other email address, from Gmail to your local ISP mailbox, all bets are off if you’re replying from one of those services. Unless you jump through hoops to explicitly set up your hidden email address as an alternate sender, your real email address is guaranteed to be exposed if your reply to a message from any service other than iCloud.

Lastly, it should go without saying that Hide My Email won’t protect you from law enforcement, as one bright spark discovered when he thought he could use Apple’s anonymity to send email threats to the FBI director’s girlfriend. Needless to say, the FBI handed Apple a court order, and Apple gave up the identity of the iCloud user — as it’s required to do by law.

Still, it’s fair to say that most folks using Hide My Email probably aren’t doing so for nefarious purposes, and probably aren’t even engaging in two-way communications with those addresses. Hide My Email is mostly a handy way to sign up for things online or fill in web forms when you’d rather not disclose your real address. After it’s used for a single confirmation code or receipt, many folks forget the address ever existed.

Is Hide My Email Still Private?

How To Detect Fraudulent Emails

As someone who has worked with email technologies since nearly the dawn of the internet, I can think of several ways that Hide My Email addresses could be exposed. However, the most obvious ways generally involve the scenarios I already mentioned above: replies to messages sent to your Hide My Email address that could easily contain your real address, whether in the From line or buried within the email headers.

However, what’s much more concerning about this week’s report is that it doesn’t sound like any such interactions are necessary for the real address to leak. When 404 Media’s Joseph Cox tested it, he had to do nothing more than provide the address for Murphy to come back with the real one.

To test the issue I generated a new Hide My Email address and provided it to Murphy. Around five minutes later, he replied with my real email address linked to my Apple account which was supposed to be hidden.

Joseph Cox

There’s no mention of email exchanges using the Hide My Email address, or any other interactions on the part of the owner. The implication is that Murphy was able to take nothing more than the string of characters that make up an obscured Hide My Email address and use that to get Apple’s systems to disclose the real address.

Murphy ultimately went public with this issue because he feels that Apple has had more than enough time to address it, and now users should be warned. Apple reportedly acknowledged the issue in July 2025, and then claimed it had addressed it in March 2026. However, after Murphy demonstrated that it had not been fixed, he provided more information to Apple, which thanked him for his assistance but asked him not to disclose it.

We are still investigating this issue. To avoid placing our customers at risk, we would appreciate you not disclosing this information until our investigation is complete. We appreciate your assistance in helping us to maintain and improve the security of our products.

Apple’s response to Tyler Murphy

Murphy wrote back to Apple suggesting that it should consider “ending new sales of Hide My Email until the problem is fixed,” to limit the risk to its customers. At the end of May, Apple said it was planning to address the issue in a future security update “in the coming weeks,” but when the company still appeared to be dragging its heels, Murphy contacted 404 Media with the details, saying he’d given Apple a year to fix it, and didn’t “feel comfortable waiting any longer.”

It’s noteworthy that Apple quietly announced a shift in its Hide My Email address strategy at WWDC, noting that they’d now be hosted at @private.icloud.com rather than @icloud.com. This raised some concerns that it could be easier for sites to block these addresses, since they’re now easily identifiable by their own subdomain, but it also now raises a question on whether this change had anything to do with Murphy’s report. However, based on how email technologies work, I can’t imagine how switching to a subdomain would help fix this issue.

So what’s the bottom line here? Well, it’s fair to say that Hide My Email is still fine for casual privacy where you simply don’t want your real email address sitting in a database somewhere or landing on a spambot’s list of targets. The vulnerability requires a specific attack to pull out the real addresses behind the curtain.

However, this flaw definitely means you should be wary of using it for any scenarios where you absolutely do not want your actual email address to be disclosed under any circumstances, as the researchers have determined — and Apple has tacitly confirmed — that this is very possible right now.

Sponsored
Social Sharing