Hide My Email’s Security Flaw Exposed
Apple’s ‘Hide My Email’ feature is a crucial component of the company’s commitment to user privacy and security. The feature allows users to create email aliases, which can be used to sign up for new accounts without revealing their real email addresses. However, a recent security vulnerability has been discovered that can expose the real email address behind any Hide My Email alias.
The issue was first reported by 404 Media’s Joseph Cox, who collaborated with Tyler Murphy, co-founder of EasyOptOuts, to test the exploit. According to Murphy, ‘almost anyone’ can tap into this vulnerability to learn the real email address behind any Hide My Email proxy. The vulnerability allows bad actors to figure out what a user’s real email address is through ‘free, publicly accessible people-search sites.’
In a test conducted by Cox and Murphy, they sent Murphy one of their Hide My Email aliases, and within five minutes, Murphy replied with Cox’s actual email address. While Murphy notes that tests have been limited, the exploit has worked on every alias he’s tried, which doesn’t bode well for Hide My Email’s security.
The security flaw has been known to Apple since June 2025, when Murphy first contacted the company about the issue. Apple responded a month later, confirming it was looking into the problem. However, despite claims of a patch in March 2026, the vulnerability remains unaddressed, and Apple has asked Murphy not to disclose the issue until it has been patched to avoid putting customers at risk.
Hide My Email is already facing criticism after a recent report by TechCrunch revealed that Apple plans to change the feature’s functionality, reducing its effectiveness. The change would label Hide My Email aliases with a ‘private’ domain, making it easier for companies to identify and block these addresses. This move has raised concerns about the feature’s future and its ability to protect user privacy.
In light of these developments, users who rely on Hide My Email for their online security may want to reconsider their approach. While the feature is still available, its security vulnerabilities and potential changes to its functionality make it an uncertain tool for protecting user information.
How Hide My Email Works
For those who may not be familiar with Hide My Email, here’s a brief overview of how it works. When you sign up for a new account, Hide My Email can generate an email alias for you. This alias is automatically linked to your real email address, allowing you to receive emails from the new account without revealing your true identity. However, if the company behind the account decides to sell or leak your email address, the damage is already done, as they had access to your real email address through the alias.
The Security Vulnerability
The security vulnerability in Hide My Email allows bad actors to figure out what a user’s real email address is through publicly accessible people-search sites. This is a significant concern, as it compromises the very purpose of Hide My Email – to protect user email addresses from being exposed. The vulnerability has been tested and confirmed to work on multiple aliases, which raises questions about the effectiveness of Hide My Email in protecting user information.
Apple’s Response
Apple has been aware of the security vulnerability since June 2025, and despite claims of a patch in March 2026, the issue remains unaddressed. Apple has asked Murphy not to disclose the issue until it has been patched, but Murphy has chosen to speak out about the vulnerability to alert users to the potential risks. The company’s response to the issue has been slow, and users may want to consider alternative methods for protecting their email addresses.