
“Hide My Email” is a key security feature for Apple‘s iCloud+ subscribers. It lets users generate throwaway addresses to avoid data trackers and data breaches. Unfortunately, a newly uncovered vulnerability suggests that Apple’s “Hide My Email” might not actually be hiding anything, exposing user’s real addresses.
The five-minute unmasking
An investigation published by 404 Media reveals a significant security loophole. The report claims that the flaw lets bad actors reverse-engineer anonymous aliases, successfully linking them directly back to a user’s real primary inbox. To verify the severity of the flaw, reporter Joseph Cox generated a fresh, randomized address and handed it over to Tyler Murphy, the co-founder of data-removal firm EasyOptOuts. Within roughly five minutes, Murphy successfully extracted the true underlying Apple ID account email.
Worse yet, the exploit appears to boast a flawless success rate. The exact methodology behind the attack remains closely guarded to prevent widespread exploitation. However, initial validation sweeps across a pool of volunteers yielded a shocking 100% exploit rate. Murphy warned that because public people-search directories make it incredibly simple to match basic inbox credentials to physical home addresses and phone numbers, individuals relying on the anonymity tool for high-stakes safety reasons are facing immediate exposure risks.
A year of delays and broken promises
The most frustrating aspect of the situation is the timeline of the fix. EasyOptOuts originally identified the replication steps and formally alerted Apple’s security desk way back in June 2025. Over the course of the following year, the iPhone maker engaged in a slow game of email tag.
In March of this year, Apple support reps claimed they had solved the problem via a quiet background system modification. However, independent evaluation quickly proved the exploit still worked perfectly. By May, Apple engineering teams asked researchers to maintain strict public silence while they continued investigating. They eventually promised a definitive security patch “in the coming weeks.” Fed up with the lengthy delays and believing consumers have a right to know their data is actively vulnerable, the research group chose to step forward.
This isn’t the first time Apple’s privacy-centric advertising has clashed with technical realities. In recent years, the company faced legal pushback after researchers discovered that diagnostic analytics tracking continued operating even when toggled off. Similarly, a high-profile analysis exposed that Apple’s local Wi-Fi MAC address randomization tool—designed to hide a phone’s physical footprint on public networks—was completely ineffective, leaking true identifiers anyway.
The Android Headlines Take
One of Apple’s main selling points is privacy. “Hide My Email” was a key tenet of this philosophy. However, if there’s a method that allows attackers to completely bypass this protection and get the address anyway, then using it is pointless—especially if the researcher reports a 100% exploit rate in tests. It’s currently unknown whether other groups have used the exploit to obtain other users’ emails.
The post Apple’s ‘Hide My Email’ Feature Reportedly Leaks True Addresses in Major Flaw appeared first on Android Headlines.