Apple’s Hide My Email feature is facing fresh criticism after a reported flaw allowed people to uncover the real iCloud address behind an anonymous alias. The issue was reportedly discovered in June 2025 and remains unresolved more than a year later, raising concerns about a privacy feature that is supposed to protect your identity when signing up for websites and services.
Hide My Email is included with iCloud+ and lets you create random email aliases that forward messages to your real inbox. The idea is simple: you can give a website a private relay address instead of your real iCloud email, reducing spam and making it harder for companies to track you across services.
The reported vulnerability undermines that purpose. According to the claim, attackers could use the alias to identify the original iCloud address connected to it. That means someone using Hide My Email for privacy could still have their real address exposed.
The reported flaw affects the main purpose of Hide My Email
Hide My Email is meant to act as a buffer between your personal inbox and the websites you use. It is especially useful when registering for online stores, newsletters, app trials, contests, and other services that may later send unwanted messages.
If the original email address can be identified through the alias, the protection becomes far less useful. It could allow advertisers, data brokers, scammers, or other bad actors to connect an anonymous address to a real iCloud account.
| Hide My Email feature | Intended purpose | Reported concern |
|---|---|---|
| Random email aliases | Hide your real email address | Alias may reveal the linked iCloud address |
| Email forwarding | Send messages to your normal inbox | Privacy protection may be weakened |
| Separate aliases | Limit tracking between websites | Identity could still be connected |
| iCloud+ privacy tool | Reduce spam and unwanted contact | Core privacy promise is affected |
The issue was reportedly brought to Apple’s attention in 2025. Apple was said to have indicated that a fix was coming, but the vulnerability was still reportedly present as of July 2026.
Apple reportedly claimed the issue was fixed earlier
The situation is more concerning because Apple reportedly said the problem had been addressed in March. However, the researcher who found the issue later claimed the exploit was still working.
Apple reportedly asked for the details not to be disclosed while it worked on a solution, arguing that public information could put customers at risk. That is a common approach during security fixes, but it becomes more difficult to defend when a reported problem remains unresolved for an extended period.
Apple has not publicly explained why the fix has taken so long or confirmed when a full patch will arrive. The company also reportedly did not provide a response to questions about the issue.
iCloud+ subscribers should be cautious with sensitive signups
Until Apple confirms a fix, Hide My Email aliases should not be treated as a complete privacy shield for highly sensitive accounts. The feature can still help reduce inbox clutter and make it easier to disable messages from unwanted services, but it may not fully prevent someone from connecting an alias to your real email address.

For important services such as financial accounts, healthcare platforms, work systems, or sensitive subscriptions, using a separate dedicated email account may offer better separation than relying only on a forwarding alias.
The reported flaw is a reminder that privacy tools are only as strong as their implementation. Hide My Email remains useful for managing spam, but Apple needs to address the issue quickly to restore confidence in one of iCloud+’s most important features.



Discussion (0)
Be the first to comment.