Hide My Email was supposed to protect identity: instead, it has exposed users' real addresses for a year
Hide My Email, the iCloud+ feature that generates anonymous email addresses to protect the real one, has a vulnerability that allows for tracing the user's actual address. This was discovered by Tyler Murphy, co-founder of EasyOptOuts, who reported it to Apple in June 2025: more than a year later, the problem has still not been definitively fixed.
The feature generates addresses under the @icloud.com domain that forward messages to the user's real inbox; the protection works because these addresses are indistinguishable from a regular @icloud.com account. 404 Media verified the flaw firsthand: they generated a new Hide My Email address and provided it to Murphy, who within about five minutes returned the true email address linked to the Apple account.
Murphy stated, "We reported the issue and the instructions to reproduce it to Apple over a year ago. We do not know why it has not been fixed yet, but we no longer feel comfortable waiting. Those who use Hide My Email deserve to know that an attacker could discover their hidden address." In tests conducted with volunteers, he added, 100% of the tested Hide My Email addresses were found exploitable.
Apple’s response, amid delays and partial fixes
Apple responded to the initial report about a month later, in July 2025, saying they were examining the issue. In March 2026, they communicated that they had "resolved the problem with a recent system update," but Murphy verified that the vulnerability was still present. By the end of May 2026, Apple stated that they intended to address the issue with a future security update "expected in the coming weeks"; however, at the time of publication, the flaw was still exploitable.
Murphy also suggested to Apple to temporarily suspend the sales of Hide My Email as a containment measure, a proposal to which Apple did not respond. The exact technical details of the vulnerability are not disclosed precisely because it is still exploitable. The risk, Murphy emphasizes, is aggravated by public people-search sites that allow easy linking of an email address to other personal information: those relying on Hide My Email for personal security reasons could therefore be exposed.
Domain change further complicates the situation
The issue intertwines with a change announced by Apple in June 2026: Hide My Email addresses will switch from the @icloud.com domain to the new @private.icloud.com, unifying them with those of Sign in with Apple, which until now used privaterelay.appleid.com. Addresses that have already been generated on the previous domains will continue to function and forward mail without interruption.
However, this change will make it easier for websites and apps to identify and block Hide My Email's anonymous addresses, as they will no longer be indistinguishable from regular email addresses. A feature designed to protect users' identities thus risks undermining itself on two fronts: a flaw that has negated its purpose for over a year, and a technical change that facilitates recognition by third parties.