A serious security vulnerability has been revealed in Apple’s “Hide My Email” feature, allowing hackers and malicious actors to expose the real email address of any user who relies on this privacy-focused feature.
Tyler Murphy, co-founder of Easy Opt Out, told 404 Media that Apple has been aware of the issue for over a year but has yet to fix the bug.
The “Hide My Email” service is a core feature of iCloud Plus subscriptions (starting at $1 per month). It provides tools similar to temporary email services, allowing users to create a temporary email address with the “icloud.com” domain for use when registering on websites, thus preventing the sharing of their real email address. This alternative address expires after a specified period.
These pseudonymous addresses are widely used to ensure privacy when signing up for new apps or downloading trial software. If these sites are later compromised, the user’s real data and email address remain secure. This is precisely what the discovered vulnerability strikes at the heart of.
Although Murphy did not reveal the precise technical details of how the vulnerability works, he confirmed that experiments conducted with volunteers proved that 100% of the hidden pseudonyms could be used to access real email accounts via publicly available identity lookup websites. The website 404Media deliberately withheld details of the security flaw due to the possibility of its exploitation by hackers at the time of publication.
According to the timeline of the crisis, Murphy first reported the issue to Apple in June 2025. In March 2026, Apple reported that it had patched the vulnerability, but Murphy investigated and discovered that it still existed. By May 2026, Apple reiterated that it was still investigating the matter, requesting that Murphy not release the information publicly to protect users until the investigation was complete. Murphy refused this request and decided to release his documents.
Experts advise users to temporarily discontinue using the feature, pending updates Apple plans to release this summer, which include changing the service’s domain from “icloud.com” to “private.icloud.com”.
The reasons behind Apple’s desire to change the domain name are still unclear, amid concerns that the new domain will make it easier for websites to automatically block any email containing “private.icloud.com”, potentially forcing users to share their real addresses, which would significantly reduce the feature’s privacy value.

