When you register for a new online service, sharing your email address often means exposing yourself to spam, profiling or, in the worst cases, the consequences of possible data breaches. To limit these risks, Apple offers iCloud+ subscribers the “Hide My Email” feature, designed to create unique and random fictitious addresses that act as intermediaries between the user and websites or applications.
A vulnerability discovered by security researcher Tyler Murphy, co-founder of EasyOptOuts, a company specialized in removing personal data from so-called “data brokers”, who reported it to Apple as it could undermine this very promise: in some circumstances, in fact, it would be possible to trace the real email address hidden behind one of these aliases. The problem would have been reported to the Cupertino giant for a long time, but the definitive fix has not yet arrived.
How “Hide My Email” works
The “Hide My Email” feature is part of the services included in iCloud+ and is designed to prevent users from having to provide their personal email address every time they sign up to a site, make an online purchase or create a new account. Instead of the actual email, a random address associated with the iCloud domain is automatically generated, made up of seemingly meaningless words and characters.
Emails sent to this address are automatically forwarded to the user’s inbox, without the sender knowing the original address. This way, websites and applications only interact with the alias generated by Apple, while the real email address should remain hidden.
At any time you can also delete an alias or stop forwarding it, preventing you from receiving further messages. This is a particularly useful tool for reducing the amount of unwanted communications and limiting the dissemination of your personal data in the event that an online service suffers a cyber breach. It is not a rare occurrence: in recent months, for example, there has been talk of the alleged data breach that would have involved around 89 million Steam accounts, a case that has brought attention to the importance of protecting one’s personal data even when registering for online services.
How the vulnerability was discovered
The vulnerability would allow some addresses generated by “Hide my email” to be linked to the corresponding actual email address of the user.
To verify the criticality, a new alias was created via the Apple service. Within a few minutes Tyler Murphy was able to trace the associated real email address, confirming the validity of the technique. In tests conducted by EasyOptOuts with a limited number of volunteers, all addresses analyzed were found to be vulnerable. However, this does not mean that every Apple account is certainly exposed or that the method can be applied to all users without distinction: the actual extent of the problem still remains to be clarified.
Cupertino has known about the problem for over a year
The most delicate aspect of the matter concerns the management of the report. The vulnerability was reported to Apple in June 2025, along with instructions needed to reproduce the issue. In the following months, the company confirmed that it had received the report and was working on a fix.
In March 2026, Apple announced that the problem was corrected, but subsequent checks carried out by the researcher showed that the flaw was still exploitable. In May, the company reportedly asked not to publicly disclose the details while the investigation continued, explaining that it was still working on the matter. The group led by Tim Cook would later confirm that the fix will be distributed with a future security update, without however indicating a precise date for the release. At the time the story was made public, the vulnerability was still present.
Details of the flaw have not been made public
Unlike many vulnerabilities that have already been fixed, in this case the technical details of the flaw have not been disclosed. This is a common practice in the cybersecurity industry when a problem is still open: making all information public could facilitate any exploitation attempts before a fix is available.
For this reason Tyler Murphy shared the method with Apple, but avoided disclosing the complete technical description. The goal is to reduce the risk that the vulnerability will be exploited before the technical details can be used for any attacks.








