Apple Hide My Email flaw exposes real address in minutes, researchers say
Apple Hide My Email flaw exposes real address in minutes

Apple's Hide My Email feature, designed to protect user privacy by generating disposable @icloud.com addresses, contains vulnerabilities that can expose a user's real email address in as little as five minutes, according to researchers at digital privacy firm EasyOptOuts.

Discovery and disclosure

EasyOptOuts discovered the first flaw in June 2025 and reported it to Apple, which acknowledged the issue the following month. A second vulnerability was found in March and was subsequently fixed by Apple. However, the company stated that the severity and scope of the vulnerabilities were greater than initially thought. 'We're publicly disclosing the existence of the vulnerabilities now because we think Hide My Email users deserve to know that their email addresses may not actually be hidden,' EasyOptOuts said last week. 'We want people to be able to account for this risk when deciding when and how to use Hide My Email.'

Verification of the flaw

Despite Apple's claim that the issue was patched in June, tests conducted by 404 Media on the following Monday found the vulnerability still present. Journalist Joseph Cox created a fake Apple email and sent it to EasyOptOuts co-founder Tyler Murphy. Within five minutes, Murphy returned Cox's personal email address. Murphy noted that 'limited tests' showed '100%' of Hide My Email addresses were exploitable. Neither the researchers nor the tech outlet disclosed the technical details of the hack to prevent cybercriminals from exploiting it.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

Why email privacy matters

Email addresses serve as digital breadcrumbs for companies and cybercriminals. They are linked to personal data collected as users browse online. When signing up for services, algorithms convert email addresses into tokens that track user activity across websites. Data brokers compile and sell this information, often on the dark web, creating detailed profiles that include phone numbers, home addresses, social media accounts, marital status, educational background, recent purchases, and interests. Aras Nazarovas, a senior information security researcher at Cybernews, explained: 'Hackers may cross-reference the leaked emails against data from previous breaches to gather more information about potential victims, or combine them with publicly available information, such as social media profiles, to build detailed victim profiles.' However, Nazarovas noted that 'the exploit hasn't been made public yet, so the actual impact is limited. This gives Apple an opportunity to fix the issue before it could be exploited at scale.'

Apple's response and future changes

Apple introduced Hide My Email in 2019, allowing users to create burner email addresses when signing up for third-party services using their Apple ID. These disposable addresses forward messages to the user's real email, and users can delete them if they receive spam. In June, Apple announced plans to generate new hidden email addresses using the @private.icloud.com domain instead of @icloud.com. However, some users have expressed concern that this change could make it more obvious to third-party companies when a hidden email is being used. Apple has been approached for comment but has not yet responded.

Implications for users

While the vulnerability has not been widely exploited, the disclosure highlights ongoing risks to digital privacy. Users are advised to remain cautious when using Hide My Email and to monitor their accounts for suspicious activity. The researchers hope that public awareness will pressure Apple to implement a more robust fix.

Pickt after-article banner — collaborative shopping lists app with family illustration