Apple’s Hide My Email Bug Can Reveal Your Real Address — What to Do Now
A security report published this week details a bug in Apple’s Hide My Email feature that can expose your actual email address to third parties under certain conditions. The issue appears to have existed for about a year, and it affects anyone who uses iCloud+ and relies on the service to keep their real inbox hidden. Here’s what we know and what you can do in the meantime.
What happened
The report, first covered by SC Media, explains that Hide My Email — a feature included with iCloud+ that generates unique, random email addresses for signing up to services — sometimes fails to keep your real address masked. When a sender replies to a message sent from one of these random alias addresses, or when certain forwarding rules are triggered, the underlying personal email can be revealed instead of the alias. The exact trigger hasn’t been fully documented yet, but the consequence is clear: the privacy protection the feature is designed to provide can break down.
Apple has not issued a public statement or a fix as of this writing, so the bug remains active.
Why it matters
For anyone who uses Hide My Email to reduce spam, avoid tracking, or compartmentalise their online accounts, this bug undermines the entire benefit. A single exposure can link your real email address to the alias, which then enables senders (or attackers who compromise a service’s database) to tie your browsing habits, subscriptions, and account activity back to you. Since the bug has reportedly been present for a year, it’s possible that some users have had their real address exposed without realising it. Even if you haven’t noticed unusual spam or phishing attempts, the risk remains.
This isn’t a theoretical problem — the whole point of using a masking service is that the mapping from alias to real address stays private. When that mapping leaks, you lose control over who knows your actual email. And because many people use Hide My Email for signing up to newsletters, stores, and free trials, the potential exposure spans a wide range of third parties.
What readers can do
Until Apple deploys a patch, you have a few options to reduce risk.
Pause using Hide My Email for new sign-ups. If you’re creating a new account today, consider using an alternative masked email service (such as DuckDuckGo Email Protection or SimpleLogin) where the privacy guarantees are more clearly documented and independent of this bug. Alternatively, generate a single-use email through a disposable service if the account is low‑value.
Review past uses for signs of exposure. Look at the inbox for your iCloud email (the real address). If you start receiving unexpected replies, bounce notifications, or spam at that address that are related to a service you originally signed up to via a Hide My Email alias, it may indicate the real address was exposed. Also check if any emails you sent from an alias were forwarded back to your real address unexpectedly.
Change critical accounts. For high‑value accounts (e.g., banking, password managers, social media login emails) that you may have created using Hide My Email, consider updating the email address to a more trusted one — ideally a fresh, unique address that isn’t tied to this bug.
Report the issue to Apple. Even though Apple hasn’t acknowledged the bug publicly, filing a report through their privacy feedback page can help signal the severity. You can use the form at apple.com/privacy/contact, though prompt resolution is not guaranteed.
Monitor for phishing. If your real email was exposed, be extra cautious about emails that claim to be from Apple or from services you use. Attackers may use the leaked address to craft convincing phishing messages.
Long‑term considerations
This incident is a reminder that even built‑in privacy features can have flaws, and no single layer of protection is foolproof. If you regularly need email masking, consider diversifying — use one service for sign‑ups and another for your actual correspondence. Also, enable two‑factor authentication on your primary email account so that if your address is exposed, an attacker still can’t log in without the second factor.
Apple’s track record suggests they will eventually fix the bug with a software update, but no official timeline has been given. Until then, treat Hide My Email as unreliable for anything where exposure would be a problem. When the fix arrives, you can safely resume using it with confidence.
Sources
- SC Media: “Apple’s ‘Hide My Email’ feature reportedly has a year‑old bug that reveals real email addresses” (July 2, 2026).