Apple’s Hide My Email service is facing fresh privacy concerns after a reported flaw allowed the real iCloud address behind an anonymous email alias to be identified. The issue was reportedly discovered in June 2025, but Apple has not yet delivered a public fix more than a year later.
Hide My Email is part of iCloud+ and is designed to let people create random email aliases when signing up for websites, newsletters, shopping accounts, and other online services. Messages sent to those aliases are forwarded to the user’s real inbox, while the original address is meant to remain hidden.
If the reported flaw can reveal that original address, it undermines the main purpose of the feature.
Hide My Email Is Supposed to Keep Your Main Address Private
The service is meant to reduce spam, tracking, and unwanted contact by giving each website a separate anonymous address. You can disable an alias later if it starts receiving unwanted messages, without changing your main email account.
| Hide My Email feature | Intended purpose |
|---|---|
| Random email aliases | Keeps your real address private |
| Email forwarding | Sends messages to your main inbox |
| Alias controls | Lets you disable unwanted addresses |
| iCloud+ integration | Works across Apple services and devices |
| Privacy protection | Limits tracking and data collection |
The reported vulnerability would allow someone to connect a Hide My Email alias back to the real iCloud account behind it. That could expose an address you specifically chose not to share with a website or service.
Apple Was Reportedly Told About the Issue in 2025
The flaw was reportedly identified by privacy researcher Tyler Murphy in June 2025. Apple was said to have been informed about the issue and later indicated that a fix was being prepared.
The company reportedly claimed the problem had been resolved in March, but the researcher later found that the exploit still worked. Apple then reportedly asked that the details remain private while it continued working on a fix.
As of July 2026, the issue is still said to be unresolved.
| Timeline | Reported development |
|---|---|
| June 2025 | Vulnerability reportedly discovered |
| March 2026 | Apple reportedly said the issue was fixed |
| May 2026 | Fix reportedly expected within weeks |
| July 2026 | Problem reportedly still remains |
Apple has not publicly confirmed the technical details of the flaw or provided a timeline for a patch.
Why the Report Raises Serious Privacy Questions
Hide My Email is not a free convenience feature for every Apple account. It is part of the paid iCloud+ service, which makes the alleged issue more concerning for subscribers who rely on it to separate their real address from online accounts.

A hidden address can be important for journalists, activists, business owners, people avoiding harassment, and anyone trying to reduce unwanted contact. Even for ordinary users, email aliases are often used to limit spam and prevent websites from linking multiple registrations to a primary inbox.
If an alias can be traced back to the main address, those protections become far less useful.
What iCloud+ Users Can Do for Now
Until Apple provides a confirmed fix, people who rely on Hide My Email for sensitive accounts may want to be cautious about where they use new aliases.
You can also review existing aliases and disable any that are no longer needed. For highly sensitive accounts, using a separate email provider or a dedicated mailbox not linked to your primary identity may offer more separation.
The reported issue does not mean every Hide My Email alias has been exposed. However, it raises a significant question about whether Apple’s privacy feature has worked as promised for affected accounts.
Apple will need to provide clearer information about the flaw, its scope, and the final fix before iCloud+ subscribers can be confident that their real email addresses are properly protected.



Discussion (0)
Be the first to comment.