Verification status

The vulnerability is reported and independently reproduced

EasyOptOuts says it disclosed two related weaknesses to Apple in 2025. 404 Media independently tested the issue with a newly created alias, and researcher Tyler Murphy reportedly identified the underlying real address within about five minutes. The exact technique remains private to avoid enabling abuse. Apple had not publicly confirmed a complete fix at publication time.

01 // The finding

What happened to Apple's Hide My Email?

Hide My Email is supposed to place a disposable address between you and a website, app, business, or correspondent. According to a disclosure by privacy company EasyOptOuts, weaknesses in that system may allow an attacker who knows an alias to discover the permanent address receiving its forwarded messages.

EasyOptOuts says it first reported a vulnerability on June 11, 2025, supplied reproduction instructions two days later, and reported a second, similar issue in July. Apple acknowledged that the behavior was not intended. In March 2026, Apple said a system change had addressed the reports, but the researchers said their original tests still worked. They reported broader potential impact in May and retested unsuccessfully after another claimed fix on June 30.

The strongest public evidence is 404 Media's independent check. Reporter Joseph Cox created a fresh Hide My Email address and gave it to Murphy, who returned the linked real address within minutes. Murphy also said every alias worked in a small volunteer test. That 100 percent result is concerning, but it is not a measured global prevalence rate: the sample size and selection method have not been published.

Sources: EasyOptOuts disclosure timeline and 404 Media's independent report.

02 // Architecture

What is Hide My Email, and how should it work?

Hide My Email is an address-masking service included with iCloud+. Instead of entering your everyday address on a form, Apple generates a unique alias. Mail sent to that alias passes through Apple's relay infrastructure and is forwarded to an address associated with your Apple Account. You can reply while keeping the alias visible to the other party, then deactivate that alias if it attracts spam or is exposed in a breach.

This design offers compartmentalization. A different alias for each service prevents companies from using one shared email address as a simple cross-site identifier. A breached alias can be disabled without replacing the address used for banking, account recovery, or personal communication. It can also reveal which company leaked or shared an address.

Stage What the sender sees What happens next
Signup A random Apple-generated alias The service stores the alias instead of your primary address.
Delivery The same alias Apple filters and forwards the message to your selected inbox.
Reply The alias remains the visible sender Apple relays the reply without intentionally revealing the destination.
Deactivation Delivery stops Your underlying inbox and other aliases continue working.

There are two related implementations. iCloud+ subscribers can create aliases on demand in Safari, Mail, or iCloud settings. Sign in with Apple can separately create an address for one app or website. Apple says messages are deleted from relay servers after delivery and that content is processed only for standard spam filtering. This is forwarding and identity separation, not end-to-end encryption or immunity from lawful account requests.

Official documentation: Apple's private relay explanation and Hide My Email in Mail.

03 // Impact

Why revealing the real address matters

An email address is often more than a delivery destination. Data brokers and people-search services may associate it with names, phone numbers, relatives, employers, old addresses, or social profiles. A discovered address can therefore become a pivot for doxxing, targeted phishing, password-reset attempts, harassment, or combining records from multiple breaches.

The risk is not equal for everyone. A shopper using an alias to contain newsletters faces a different threat from a journalist, activist, abuse survivor, public figure, security researcher, or clinician who depends on separation between public communication and personal identity. For high-risk users, the difference between "reduces casual exposure" and "resists a motivated attacker" is crucial.

04 // Defensive steps

What Hide My Email users should do now

  • Keep using unique aliases for ordinary signups. They still limit routine tracking, simplify spam control, and reduce reuse of your permanent address after a breach.
  • Do not rely on an alias as your only anonymity layer. For sensitive activity, use a separate mailbox created without personally identifying recovery details and follow an appropriate threat model.
  • Audit active aliases. Review them under Apple Account, iCloud, and Hide My Email. Label important aliases clearly and deactivate ones you no longer need. Deactivation reduces future exposure but cannot erase copies already held elsewhere.
  • Harden the destination account. Use a unique password, multifactor authentication, secured recovery methods, and cautious password-reset practices. An exposed address should not be enough to take over an account.
  • Expect more convincing phishing. Treat unexpected Apple, iCloud, banking, and account-recovery messages as untrusted. Open the relevant app or type the known website address instead of following email links.
  • Watch for Apple's security confirmation. A vendor saying a change was deployed is not the same as independent verification. Look for a public security notice and confirmation from the reporting researchers.

05 // A separate change

The new private.icloud.com domain is a different privacy concern

Apple has also announced that newly generated addresses will move to the dedicated @private.icloud.com domain. Previously, many on-demand aliases used @icloud.com, making them difficult to block without also rejecting ordinary iCloud customers. A dedicated domain lets websites identify and potentially refuse masked addresses more easily.

That policy change should not be confused with the reported unmasking vulnerability. One makes aliases recognizable as aliases; the other may reveal the real destination behind one. Both can reduce practical privacy, but through different mechanisms. Apple says existing addresses will continue forwarding, while providers may need to update filtering rules.

Further reporting: TechCrunch on the domain migration.

06 // Quick answers

Frequently asked questions

Should I stop using Hide My Email?

Not necessarily. It remains valuable for spam control and compartmentalization. The sensible adjustment is to stop treating it as a strong anonymity guarantee until the flaw is fixed and independently retested.

Does the report expose how to attack an alias?

No. EasyOptOuts and 404 Media withheld the exploit details because the issue remained reproducible. This article does the same and does not infer a technique from public speculation.

Has Apple confirmed a fix?

EasyOptOuts says Apple twice indicated that changes had addressed the problem, but the researchers could still reproduce it on June 30, 2026. Apple had not issued a public, independently verified resolution when this analysis was prepared.

07 // Conclusion

Email aliases remain useful, but privacy claims need proof

Hide My Email solves a real problem: permanent addresses have become durable identifiers spread across marketing databases, breach dumps, and recovery systems. Unique aliases reduce that exposure. Yet a privacy relay is trustworthy only if the mapping behind it cannot be recovered by an unauthorized party.

The responsible position is neither panic nor dismissal. Users should preserve the benefits of compartmentalization, strengthen the accounts behind their aliases, and use stronger separation for high-risk identities. Apple should publish a clear security advisory, reduce the attack surface, notify affected customers, and support independent validation of the eventual fix. Privacy features are security boundaries, and customers deserve evidence when those boundaries fail-and when they are restored.

Sources & methodology

Primary and corroborating references

  1. EasyOptOuts - disclosure and communication timeline
  2. 404 Media - independent reproduction and researcher interview
  3. Apple Support - how Hide My Email and Sign in with Apple work
  4. Apple Support - sending, receiving, and managing aliases
  5. MacRumors - corroborating coverage of the reported flaw
  6. TechCrunch - reporting on Apple's alias-domain change

Editorial method: Claims about testing and Apple communications are attributed to the researchers or reporting outlet. Apple's documentation is used for product architecture. No unpublished exploit mechanism is described or inferred. Safety guidance is based on data minimization, account hardening, and threat-modeling principles. This article will be updated when Apple or the researchers confirm a verified resolution.

Written and fact-checked by

Kawshik Ahmed Ornob

Cybersecurity specialist, AI and NLP researcher, and full-stack engineer writing about privacy and secure intelligent systems.