Researchers have discovered a flaw in Apple's Hide My Email feature that can expose users' real email addresses in as little as five minutes. The tool, designed to create disposable @icloud.com addresses for iCloud+ subscribers, was found to have vulnerabilities that allow attackers to unmask the user's personal email.
Vulnerability Discovery and Response
Digital privacy firm EasyOptOuts identified the first flaw in June 2025 and reported it to Apple, which acknowledged the issue the following month. A second vulnerability was found in March 2025 and was fixed by Apple. However, the company later realized the severity was greater than initially thought. 'About a month ago, we realised that the vulnerabilities' severity and scope are greater than we initially thought,' EasyOptOuts stated last week. 'We're publicly disclosing the existence of the vulnerabilities now because we think Hide My Email users deserve to know that their email addresses may not actually be hidden.'
Testing Confirms Exploitability
Despite Apple's claim that the issue was patched in June, tests by 404 Media on July 1, 2026, showed the flaw remained. Journalist Joseph Cox sent a fake Apple email to EasyOptOuts co-founder Tyler Murphy, who returned Cox's personal address within five minutes. Murphy reported that 'limited tests' showed '100%' of Hide My Email addresses were exploitable. The researchers and the tech outlet withheld the technical details of the hack to prevent exploitation by cybercriminals.
Privacy Implications
Email addresses are valuable to data brokers and hackers, as they are linked to personal data collected by companies during online activities. When users sign up for services, algorithms convert emails into tokens that track behavior across sites. Data brokers compile these into profiles containing phone numbers, home addresses, social media accounts, marital status, education, purchases, and interests. Aras Nazarovas, a senior information security researcher at Cybernews, explained: 'Hackers may cross-reference the leaked emails against data from previous breaches to gather more information about potential victims, or combine them with publicly available information, such as social media profiles, to build detailed victim profiles.' He added that the exploit has not been made public, limiting immediate risk and giving Apple time to fix the issue.
Apple's Planned Changes
Apple introduced Hide My Email in 2019 to allow users to create burner emails when signing up for third-party services. The feature forwards messages from the disposable address to the user's real email. In June, Apple announced plans to generate addresses using the @private.icloud.com domain instead of @icloud.com, but users noted this change might make it more obvious to companies when a hidden email is used. Apple has been approached for comment.



