Apple’s Hide My Email Bug Exposes Your Real Address: What to Do Now
A year‑old bug in Apple’s Hide My Email feature may leak your actual email address when you forward messages. Here’s what the problem is, how to check if you’re affected, and what you can do to protect your privacy until Apple issues a fix.
What Happened
Hide My Email is a privacy tool included with iCloud+ and Apple One subscriptions. It lets you generate random email aliases that forward to your real inbox. The idea is you use a different alias for each website or service, so if one alias is compromised, your real address stays hidden.
According to a report from SC Media, a bug in this feature can reveal your underlying real email address when you forward an email from an alias. The flaw appears to have existed for at least a year, but only recently gained wider attention. At the time of writing, Apple has not published a public acknowledgement or a timeline for a fix.
Why It Matters
If you use Hide My Email to keep your primary address private from newsletters, e‑commerce sites, or other services, this bug undermines that protection. Anyone who receives an email that was forwarded through the alias—such as a reply from a company or an automatic bounce—could see your real address in the message headers or body. For heavy users of the feature, that could mean leaking your personal email to multiple parties without your knowledge.
The risk is highest if you use Hide My Email for accounts where you’re likely to receive forwarded replies (e.g., customer support, order confirmations) or for services that automatically forward messages to your inbox. If your real address ends up in an unintended recipient’s hands, it can lead to increased spam, targeted phishing, or identity‑theft attempts.
What Readers Can Do
1. Check for Leaks
Look through the inbox you use with Hide My Email for any messages that appear to contain your real email address where it shouldn’t be. Pay special attention to:
- Replies from companies or individuals to emails sent from an alias.
- Automatic bounce messages or delivery failure notices.
- Forwards of newsletters or promotional emails that might include your address in the “To” field.
If you see your real address in any of these, you’ve been affected.
2. Disable Hide My Email for Sensitive Accounts
If you discover a leak, or simply want to be cautious, stop using Hide My Email for accounts that are important to you—especially financial services, healthcare portals, or social media logins. You can do this by:
- Going to Settings > [your name] > iCloud > Hide My Email on iPhone or iPad.
- Tapping the alias and selecting Deactivate Email Address.
- Alternatively, on Mac, go to System Settings > Apple ID > iCloud > Hide My Email, then deactivate the alias.
Deactivating an alias stops forwards from that address. You can still create new ones later.
3. Use a Different Alias Service Temporarily
Until Apple confirms a fix, consider switching to a dedicated email alias provider that has a proven track record of privacy. Two well‑known options are:
- SimpleLogin – open‑source, offers unlimited aliases on its paid plan, and allows you to reply from aliases without exposing your real address.
- Fastmail – includes alias management with masked email support (using the Fastmail add‑on), which works similarly to Hide My Email.
Both services let you create custom domain aliases or random ones and are designed to keep your real email hidden even when forwarding.
4. Monitor Your Real Email for Unwanted Contacts
If you suspect your address was leaked, keep an eye on your inbox for unexpected emails from senders you never gave your address to. Use a password manager with a “watchtower” feature (like 1Password or Bitwarden) to check if your email has appeared in known data breaches. You can also use services like Have I Been Pwned to see if your address is in any breach databases.
Long‑Term Privacy Tips
This incident is a good reminder that relying on a single service for privacy is risky. Consider:
- Using a separate alias for each online account. Hide My Email could still be one part of that strategy, but keep backups.
- Turning off automatic forwarding for aliases you don’t use often.
- Regularly reviewing your alias list and deleting ones you no longer need.
If Apple does release a fix, test it first with a non‑critical account before moving back to using Hide My Email for everything.
Sources
This report is based on security coverage by SC Media. For the original details, see:
“Apple’s ‘Hide My Email’ feature reportedly has a year‑old bug that reveals real email addresses” – SC Media, July 2, 2026.
No official statement from Apple has been published as of this writing. The bug’s scope and fix timeline remain uncertain.