Apple’s Hide My Email Bug Can Leak Your Real Address — Here’s What to Do
Apple’s Hide My Email feature, introduced with iCloud+ in 2021, is designed to let you generate random email addresses that forward to your real inbox. It’s a handy tool for signing up for newsletters, services, or one-time use accounts without exposing your personal email. But according to a report from SC Media published July 2, 2026, a bug in the feature has been present for about a year and can, under certain conditions, reveal your actual email address instead of the alias.
Apple has not yet publicly commented on the report, and no fix has been released as of this writing. If you use Hide My Email, here’s what you need to know about the risk, how to check if you’ve been affected, and what you can do in the meantime.
What the Bug Does
The SC Media report describes a situation where, when you use Hide My Email with certain apps or services, the system occasionally sends your real email address instead of the generated alias. The exact trigger isn’t fully clear, but the bug appears to surface when the receiving service processes the forwarded email in a way that exposes the original address. In practice, this means a website or app you intended to hide your email from could end up with your true inbox address.
The bug is reportedly more than a year old, which raises the possibility that a significant number of users may have already been affected without knowing.
Who Is Affected
Any iCloud+ subscriber who has used Hide My Email is potentially at risk. The bug isn’t limited to a specific version of iOS, macOS, or iPadOS according to the report. If you’ve generated a random address through Apple’s system and used it to sign up for a service, the leak could have happened on that occasion.
There is no indication that the bug affects all users all the time. It seems to be intermittent, which makes it harder to detect. The safest assumption is that if you’ve used the feature in the past year, there’s a chance your real email was exposed at least once.
How to Check If You Were Exposed
There’s no automatic alert from Apple about this bug, so you’ll need to look for signs yourself.
- Review forwarded emails. Check the headers of emails that were forwarded through Hide My Email. In most email clients, you can view the full headers. Look for any field that shows your real email address rather than the alias. If you see your personal address in a header like
To,Delivered-To, or a customX-Original-To, that’s a red flag. - Look for unexpected contacts. If you start receiving messages from services you signed up for using a Hidden Email alias, but the message appears to come from your real address or is addressed to it, the leak may have occurred.
- Check your iCloud settings. Go to Settings > [your name] > iCloud > Hide My Email. You’ll see a list of generated addresses. For each one, you can see which app or website it was created for. If any of these services now have your real email on file, you may have been compromised.
Unfortunately, because the bug is on Apple’s side, there’s no way to be certain without external evidence. If you notice anything unusual, assume the leak happened.
Short-Term Steps to Protect Yourself
Until Apple releases a patch, you can reduce the risk:
- Disable Hide My Email for sensitive accounts. For important services like banking, healthcare, or email logins, switch back to using your real email address directly. While that sounds counterintuitive, it removes the chance of a leak during the forwarding process. You can then change the email on those accounts back after the bug is fixed.
- Use a separate alias service. Consider using a dedicated email alias provider such as SimpleLogin or DuckDuckGo’s Email Protection. These services are designed specifically for email masking and may not have the same bug. If you prefer staying within Apple’s ecosystem, wait for the fix.
- Rotate your hidden emails. For less important accounts, generate a new Hide My Email address and update the service. The old compromised alias can be deleted. This doesn’t undo any previous leak, but it prevents future exposure through the same address.
- Monitor for phishing or spam. If your real email was leaked to a service you didn’t intend, watch for an increase in spam or targeted phishing attempts. The exposed address could be sold or used for social engineering.
What to Expect from Apple
Apple has not issued a statement as of early July 2026. Typically, the company addresses security bugs through software updates. Keep an eye on iOS, macOS, and iPadOS release notes. Once a fix is available, apply it promptly. Until then, treat Hide My Email as a convenience feature with a known privacy risk.
Sources
- SC Media, “Apple’s ‘Hide My Email’ feature reportedly has a year-old bug that reveals real email addresses,” July 2, 2026.
- Apple Support documentation on Hide My Email (note: no update regarding this bug at time of writing).
The Bottom Line
Hide My Email remains a useful option for reducing spam and compartmentalising your digital identity. But this bug shows that no privacy feature is foolproof. If you rely on it for accounts where anonymity matters, consider the steps above. Once Apple releases a fix, you can return to normal use with more confidence — and a better understanding of the feature’s limits.