Apple’s Hide My Email feature, one of the key privacy tools available with iCloud+, is reportedly affected by a security flaw that could reveal a user’s real email address behind an anonymous alias.
According to a report by 404 Media, the vulnerability allows attackers to identify the original email address linked to a Hide My Email alias. The publication says it independently verified the issue after testing one of its own email aliases.
Hide My Email is designed to let users sign up for apps and websites without revealing their actual email address. Instead, Apple generates a unique relay address that forwards emails to the user’s primary inbox, helping reduce spam and improve privacy.
However, the reported flaw could weaken that protection by making it possible to trace an alias back to the original email address.
The issue was discovered by Tyler Murphy, co-founder of EasyOptOuts. According to 404 Media, Murphy reported the vulnerability to Apple more than a year ago and shared detailed steps to reproduce it. Despite the report, the issue reportedly remains unpatched.
To prevent misuse, neither Murphy nor 404 Media has disclosed the technical details of how the vulnerability works.
If exploited, the flaw could allow attackers to link anonymous email aliases with users’ real email addresses. This could increase the risk of targeted phishing attacks, spam, and tracking across multiple online accounts. The report notes that the issue could be particularly concerning for users who rely on Hide My Email for additional privacy, including journalists, activists, and others who separate their online identities using email aliases.
The vulnerability does not require advanced technical skills, making it easier for attackers to exploit if they know the method.
As of now, Apple has not publicly acknowledged the issue or announced when a fix will be released. Until then, users who depend on Hide My Email for stronger privacy may want to keep in mind that the feature may not completely hide their primary email address if the reported vulnerability is exploited.






