Apple has been selling Hide My Email to keep your real email address hidden, but it has a vulnerability that does the exact opposite. The worst part is that the company has known about it for a year. 

Hide My Email, part of Apple’s paid iCloud+ subscription, lets users generate anonymous email addresses for signing up to a website, so that their personal or work email remains free of promotional emails and spam. 

However, the team at 404 Media, along with a security researcher, has now confirmed that the feature has a bug that links those anonymous addresses back to your real Apple ID email.

So what exactly happened here?

Tyler Murphy, co-founder of privacy tool EasyOptOuts, reported the vulnerability to Apple in June 2025. Apple acknowledged it a month later and was looking into the issue. 

Then, in March 2026, Apple told Murphy the problem had been addressed in an update, which usually means that it has been fixed. To verify, Murphy tested it again and found the issue was still present, providing Apple with more information. 

As recently as May 2026, Apple told Murphy it was still investigating and asked him not to go public with the information. The company also said a fix was expected “in the coming weeks,” which still hasn’t arrived.

To verify independently, 404 Media verified the issue this week by generating a new Hide My Email address and providing it to Murphy. About five minutes later, Murphy returned the real email address associated with that Apple account.

What does this mean for users?

In Murphy’s own limited tests, 100% of Hide My Email addresses were exploitable. 

Since people-search websites can link an email address to a name, location, and other personal details, anyone using Hide My Email for safety could be at risk. 

The outlet has not published the technical details of the exploit since it remains active. 

Hide My Email is also set to become much less effective, but for a totally different reason. A separate report from June 2026 revealed Apple’s plans to shift generated email addresses from the icloud.com domain to private.icloud.com.

This would make it easier for websites and services to identify and block them, effectively reducing its usefulness for avoiding spam and unwanted tracking.



Source link

By HS

Leave a Reply

Your email address will not be published. Required fields are marked *