Apple’s Hide My Email feature might not be so private after all

Facebook
X
LinkedIn
Email
People using an Apple iPhone stock photo 15

Edgar Cervantes / Android Authority

TL;DR

  • Apple’s Hide My Email feature, which generates one-off email addresses to obscure users’ primary emails, has a significant security vulnerability.
  • The vulnerability could allow bad actors to uncover users’ primary email addresses using generated Hide My Email addresses.
  • Apple was first alerted to the vulnerability in June of 2025, but has not patched it.

Apple offers a handy feature called Hide My Email that generates one-off email addresses that redirect to your primary email, giving users a way to share contact information without divulging any personal or account info. That’s how it should work in theory, at least — but a vulnerability that can expose users’ primary email addresses has been discovered, and it doesn’t sound like Apple is in much of a hurry to fix it.

As reported by 404 Media‘s Joseph Cox, the issue was first raised with Apple by personal data removal service EasyOptOuts more than a year ago. Apple’s acknowledged the problem in communication with EasyOptOuts co-founder Tyler Murphy, but as of May, the company said it was still investigating. Murphy told 404 that “in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable.”

Apple’s Hide My Email is available with paid iCloud+ subscriptions and generates randomized addresses that are linked to your main email inbox, but that don’t include your name or any variation of your “real” email address. The privacy implications are obvious: If a generated email address lands on a mailing list you didn’t subscribe to or turns up in a data breach, it’s a much smaller problem to contain than if the permanent email you use to access your iCloud account does.

The report says that Murphy has been in contact with Apple about the vulnerability since last June. Earlier this year, the company told Murphy that it was looking into it and asked him not to publicly share any details about the vulnerability. 404 doesn’t include any details about how the exploit works, but Cox writes that, using the exploit on a freshly generated Hide My Email address, Murphy was able to uncover Cox’s true email address within minutes.

I’ve always wished that more email providers, and Gmail in particular, would offer a similar feature to Hide My Email — there aren’t many people or organizations I want having the email address that’s tied to my primary Google account. You can use aliases to similar effect, but it’s not quite the same. Ideally, if other providers do take a crack at a similar offering, they’ll avoid whatever pitfall that’s been identified in Apple’s system.

Follow

Thank you for being part of our community. Read our Comment Policy before posting.

 

Related News