This Apple privacy feature may have leaked emails for millions of iPhone, Mac, and other Apple device users


This Apple privacy feature may have leaked emails for millions of iPhone, Mac, and other Apple device users
Apple’s privacy tool has a very public problem

If you’ve been using Apple‘s Hide My Email to dodge spam or keep your real inbox off random signup forms, here’s some unwelcome news: the feature has a bug that can expose the very address it’s supposed to hide. Apple doesn’t publish exact iCloud+ numbers, but the company has crossed 1 billion paid subscriptions across its services, and industry surveys suggest roughly two-thirds of iPhone owners pay for iCloud storage. With every tested Hide My Email alias found exploitable, the pool of iPhone, Mac, and iPad owners potentially at risk is enormous. According to a new 404 Media investigation, anyone armed with the right method can trace one of your Hide My Email aliases straight back to your real Apple ID email, and Apple has reportedly sat on this for over a year without fixing it.The bug was reported by security researcher Tyler Murphy, co-founder of EasyOptOuts, who flagged it to Apple back in June 2025 with steps to reproduce it. To confirm it was still live, 404 Media generated a fresh Hide My Email address of its own and passed it to Murphy. He unmasked the real email behind it in about five minutes.

Your aliases might not be as anonymous as you think

This matters if you’re someone who’s built up a stash of these addresses over the years, for streaming trials, online shopping, sketchy newsletters, or accounts you didn’t want tied to your identity. Murphy told 404 Media that in tests with volunteers, every single Hide My Email address they tried could be cracked. Once your real address is exposed, it’s a short hop to your other personal details, since plenty of free people-search sites let anyone connect an email to a name, location, or phone number.Apple’s replies to Murphy, which he shared with 404 Media, suggest the company knew and moved slowly anyway. It claimed in March the issue was “addressed,” but Murphy found it wasn’t. By May, Apple was still calling it “under investigation” and asked him to stay quiet a while longer.

What you can do while you wait for a fix

There’s no patch yet, so if you’re relying on Hide My Email for real anonymity, treat your existing aliases as compromised for now. Consider switching sensitive signups to alternatives like Proton’s SimpleLogin or DuckDuckGo’s Email Protection until Apple ships a fix. It’s also worth keeping an eye on your inbox for unexpected spam or phishing, a possible sign an alias has already been linked back to you.Adding to the mess, Apple recently said it’s moving Hide My Email addresses to a dedicated @private. icloud. com domain, which could make your aliases easier for websites to spot and block outright. For now, Apple hasn’t commented publicly, and the fix it promised for “the coming weeks” still hasn’t landed.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *