For many users, Apple's Hide My Email feature is a cornerstone of their digital privacy and security routine. It is the go-to tool for creating new accounts, especially when there is hesitation about trusting a platform with personal data. By masking the actual email address, users ensure that if a company suffers a data breach, sells contact details, or acts maliciously, their primary inbox remains shielded from spam and potential security risks. However, this illusion of total safety has been challenged by recent reports of a significant vulnerability.
The Security Vulnerability
According to findings shared by 404 Media, there is a flaw in the Hide My Email system that allows bad actors to reveal the actual email address behind a generated alias. While the technical details are intentionally limited to prevent further exploitation, Tyler Murphy, co-founder of EasyOptOuts, suggests that essentially anyone could leverage this gap to uncover the identity behind a proxy email. This effectively renders the privacy benefits of the feature moot for those who believe they are staying anonymous.
How the Feature Works
The system is designed to provide a layer of anonymity by generating unique, random email addresses for sign-ups. If a user's primary address is yourname@gmail.com, Apple creates a forwarder like sizzle_lax_3y@icloud.com. All mail sent to this alias is automatically routed to the user's real inbox. The benefit is clear: if a service becomes untrustworthy, the user can simply deactivate the alias without compromising their real contact information. Unfortunately, malicious actors are now using free, publicly accessible people-search sites to reverse-engineer these aliases, mapping them back to the user's real email address. Tests have confirmed that this process can take as little as five minutes.
Apple's Stance and Communication
Apple has apparently been aware of this flaw since June 2025. Murphy, who initially reported the issue to the company over a year ago, has been in ongoing communication with them. In March 2026, Apple informed him that they had patched the problem; however, follow-up tests proved that the vulnerability was still active. As of May 2026, Apple has acknowledged that their investigation is still ongoing. While Apple requested that the issue be kept private until a fix was deployed to protect customers, Murphy felt compelled to disclose the risks to ensure users could make informed decisions about their own security.
Impending Changes to the Feature
Adding to the tension is the reported plan by Apple to modify the domain of these aliases from @icloud.com to @private.icloud.com. By explicitly labeling these addresses as 'private,' the feature will become significantly less effective, as bots and website administrators will immediately recognize the email as an alias. This could lead to more websites blocking these accounts entirely. While these changes have not yet been fully implemented, many users are questioning the future utility of the service if it both fails to secure their data and becomes easily identifiable by third-party services.











