Apple’s Hide My Email feature may contain a vulnerability that allows attackers to expose the real email accounts connected to anonymous Apple-generated addresses.
Hide My Email is available to iCloud+ subscribers and creates unique email aliases that automatically forward messages to a personal inbox. Users can provide these aliases to websites and services to reduce spam, limit tracking, and protect their permanent addresses from future data breaches.
The vulnerability was discovered by the team behind EasyOptOuts and reported by 404 Media .
According to the researchers, the flaw can reveal the personal email address linked to a Hide My Email alias. EasyOptOuts said the problem remained unresolved as of June 30, 2026.
The researchers have not publicly disclosed the technical details needed to reproduce the exploit because doing so could place Apple users at further risk.
EasyOptOuts CEO Tyler Murphy said the group contacted Apple about the vulnerability and provided instructions for reproducing it more than a year ago.
Apple reportedly told the researchers at different stages that it was investigating the issue, developing a solution or had already deployed a fix. However, Murphy and 404 Media reporter Joseph Cox were still able to exploit the flaw while preparing the latest report.
EasyOptOuts said Apple also confirmed that Hide My Email was not designed to allow the discovery of the underlying personal address and requested further details about the vulnerability.
Murphy said EasyOptOuts does not know the full scale of the issue.
However, the researchers reported that every Hide My Email address tested with a limited group of volunteers could be exploited.
Murphy said the team decided to disclose the existence of the flaw because users deserved to know that attackers might be able to discover the addresses they intended to keep private.
Apple had not provided a public response to the latest reports at the time of publication.
The company’s official documentation continues to state that Hide My Email keeps a user’s personal address private by generating unique addresses that forward messages to the selected inbox.
Get the latest tech news, telecom insights, and product launches wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.
Shares