Apple’s Hide My Email Bug Exposes Your Real Address: What to Do
Apple’s Hide My Email feature, available to iCloud+ subscribers, lets you create random email aliases when signing up for services. Those aliases forward messages to your real inbox without revealing your true address. At least, that’s how it’s supposed to work.
A bug discovered by security researchers and reported by SC Media on July 2, 2026, suggests the feature has been leaking users’ real email addresses for roughly a year. Apple has not released a public fix as of the report, and there is no official statement about the vulnerability. If you use Hide My Email, here’s what you need to know and what you can do right now.
What happened
According to SC Media, the bug causes the real email address associated with an iCloud account to be exposed in certain circumstances when using a Hide My Email alias. The exact mechanism isn’t fully described in the report, but it appears the disclosure can happen when a recipient or service processes the forwarded email in a way that reveals the original address. The bug has been present for about a year without Apple addressing it.
It’s important to note that at this stage, the details are based on security research and media reporting; Apple hasn’t confirmed the bug publicly, so the full scope and impact remain uncertain.
Why it matters
Hide My Email is a core privacy feature for anyone trying to limit how much of their personal information ends up in the hands of marketers, data brokers, or attackers. A leak of your real email address defeats that purpose. Once a third party has your true address, they can tie it to your account, add it to marketing lists, or target you with phishing emails.
Because the bug has reportedly been active for a year, anyone who signed up for services using Hide My Email in that period could have exposed their real address without knowing it. The breach of trust is significant because users rely on this feature to keep their real inbox private.
How to check if you were affected
There is no simple log or setting inside iCloud that tells you whether your real address was leaked. The following steps can help you assess the situation:
- Review recent forwarded emails. Look at messages you received through your Hide My Email aliases. In some cases, the “Reply-To” or headers might show your real address. Use the “Show Original” or “View Raw Message” option in your email client to inspect the headers.
- Check for unexpected contacts. If you start receiving spam or phishing messages sent directly to your real address from services you signed up for with an alias, it’s a sign the alias might have exposed you.
- Test a new alias. Create a fresh Hide My Email alias and send a test email to a secondary account you control. Inspect the raw headers to see if your real address appears anywhere. If it does, the bug is affecting you.
None of these checks are foolproof, because the leak may depend on how the receiving service processes the email. But they’re a starting point.
What you can do now
Until Apple releases a fix, consider these temporary measures:
- Disable Hide My Email for sensitive accounts. If you have an alias linked to a service with financial or personal data (bank, healthcare, social media), delete that alias in Settings > [Your Name] > iCloud > Hide My Email, and replace it with a direct email or a different masking service.
- Use dedicated email aliases from other providers. Third-party services like SimpleLogin (now owned by Proton) and Firefox Relay offer similar functionality with a track record of transparency. Some password managers, such as Bitwarden and 1Password, also include email masking in their paid plans. Switching to a service that hasn’t been linked to this bug reduces the risk.
- Monitor for increased spam and phishing. If you suspect your real address was exposed, be more cautious about emails you receive. Don’t click links or download attachments claiming to be from services you used with an alias. Check sender addresses carefully.
- Consider using a separate email address for sensitive accounts. If you have the flexibility, maintain a secondary email account (from a provider like ProtonMail or a free Gmail) that you only use for important services. This isolates the risk if one masking method fails.
What about Apple?
As of the report, Apple hasn’t commented or issued a patch. Users are left in a waiting position. It’s reasonable to expect Apple will address the vulnerability eventually, but given the year-long gap, it’s wise to treat Hide My Email as unreliable for privacy-critical use in the meantime.
Sources
- “Apple’s ‘Hide My Email’ feature reportedly has a year-old bug that reveals real email addresses.” SC Media, July 2, 2026.