Anyone looking to protect themselves when signing up for websites often turns to alias email addresses: instead of their real address, they provide a forwarding address that relays incoming messages to their actual inbox. Apple's iCloud service offers exactly this with the "Hide My Email" feature — part of a paid iCloud subscription. But a security vulnerability undermines the entire purpose of this feature: the real email address behind the alias can apparently be determined with minimal effort.
Vulnerability Known for Over a Year
The problem was discovered by Tyler Murphy, co-founder of data privacy firm EasyOptOuts. He reported the vulnerability to Apple in June 2025 — and is still waiting for a complete fix. Technology outlet 404 Media says it tested the flaw independently and achieved a 100% success rate: the real email address behind a Hide My Email alias could be identified in every case.
Apple made an attempted fix in March 2026. Murphy verified, however, that the vulnerability remained exploitable even after the supposed patch. The last response from Apple dates to May 2026, when the company stated it was still investigating. Since then, there has been silence.
Millions of Users Potentially Affected
Apple recently surpassed one billion paid subscribers. Even if just one percent of them actively use Hide My Email, that represents around ten million people whose real email addresses could potentially be uncovered despite the alias.
That is precisely why neither Murphy nor 404 Media have published the technical details of the vulnerability. The standard 90-day responsible disclosure window — the industry norm after reporting a security issue — has long expired. A full year without a complete fix is an exceptionally long timeframe in the world of responsible disclosure.
How Such Leaks Typically Occur
Even without knowing the exact technical cause, similar past incidents suggest plausible explanations. In previous cases, email alias features were compromised in two ways: either email clients "helpfully" normalized reply paths to the sender's real address through autocorrection behavior, or servers mishandled email headers and inadvertently exposed the original address. Both scenarios illustrate that protection through email aliases depends not only on the provider's platform, but on the entire surrounding email infrastructure.
Apple's Own Measures Make Things Worse
Adding to the problem, Apple plans to move Hide My Email addresses to its own domain, private.icloud.com. While this sounds like a technical consolidation, it has an unpleasant side effect: websites could choose to block this domain outright and force users to provide their real email address. The privacy mechanism would be circumvented at the platform level — entirely separate from the existing vulnerability.
Murphy has publicly called on Apple to suspend sales of the Hide My Email feature until the data leak issue is fully resolved. There has been no response.
What This Means for You
If you are actively using Hide My Email, you should be aware that the intended anonymization effect is currently not reliably guaranteed. For people who depend on this protection — for example, because they deliberately do not want their real email address shared — this is a serious problem.
Alternatives to Hide My Email do exist: many independent services offer similar alias functionality. Those who rely on Apple's ecosystem should monitor the situation closely and avoid sensitive registrations via Hide My Email until Apple delivers a confirmed and verified fix.
Do you have questions about secure communication and protecting your digital identity? The FameSystems team is happy to help.