A major vulnerability has been discovered in one of the most important privacy features that Apple offers to its customers. And according to the cybersecurity researchers who discovered this exploit, the issue appears to have been going on for over a year.
Apple’s “Hide My Email” privacy feature hides a user’s email address by generating a unique iCloud email address, which then forwards emails to the user’s primary email address. The feature allows users to receive emails without revealing their email addresses.
According to a new report emerging 404 Mediathe vulnerability allows anyone to find an email address behind a “Hide My Email” address that Apple creates.
The vulnerability, which the store can’t disclose because it’s still exploitable, was discovered by Internet privacy firm EasyOptOuts. 404 Media has also independently verified that the exploit exists.
Apple iPhone 18 Pro leaks are about to get even more intense
Usually, before an exploit is disclosed to the public, researchers report their discovery to the company and give the company enough time to fix the vulnerability. According to EasyOptOut, they told Apple more than a year ago, but the risk still exists.
Mashable Light Speed
“Apple Hide My Email rewards email addresses that should be hidden,” said EasyOptOuts founder Tyler Murphy. “We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that attackers may have access to their hidden email addresses.”
Murphy told 404 Media that the issue was reported to Apple in June 2025. The company said it would “fix” the issue by March 2026. However, Murphy found that the vulnerability still exists.
“We don’t know the full extent of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were usable,” Murphy told 404 Media.
Apple finally told Murphy it was “still investigating the matter” in May.
Apple’s price hike is coming: How much MacBooks and iPads will cost you now
Hide My Email is a feature available to paying iCloud+ subscribers. It has many use cases. For example, users may use an email address generated by Hide My Email to subscribe to an email list so that they are not spammed from their real email address. Or they can sign up for a website using a Hide My Email address if they don’t want their primary address linked to that site.
In June, TechCrunch reported that Apple was planning to make changes to the Hide My Email feature that would make it useless for users. Currently, the generated Hide My Email address uses the “iCloud.com” domain, which is also used by people who use their iCloud.com username as their primary email address. In a recent letter to developers, Apple announced that it will move Hide My Email addresses to the “private.icloud.com” domain. This domain will be reserved for Hide My Email Addresses, which means that platforms and services can block email addresses with that domain name directly.
iCloud+ users who rely on Hide My Email may want to explore other email privacy options as Apple resolves the feature.