Apple’s Hide My Email Bug Leaks Your Real Address: What to Do
If you use Apple’s Hide My Email feature to keep your real inbox private, a bug that has been present for at least a year could be undermining that protection. According to a report by SC Media published on July 2, 2026, the flaw allows recipients of messages sent through a Hide My Email alias to see the user’s actual email address. Apple has been aware of the problem for more than a year but has not yet released a full fix. Here’s what you need to know and how to protect yourself.
What happened
Hide My Email is a privacy tool built into iCloud+. It generates random, disposable email addresses that forward messages to your real inbox. The idea is that you can sign up for newsletters, services, or one-off transactions without revealing your personal email. The bug, reported by security researchers and first described in detail by SC Media, breaks that promise. When someone replies to a message from your alias—or in some cases when they simply receive an email from you—the recipient’s email client can display the underlying real address. The flaw appears to affect both iCloud Mail and third-party apps that integrate with Hide My Email.
Apple has not publicly confirmed the root cause or a release date for a patch, but the company’s support pages acknowledge ongoing work to improve the feature.
Why it matters
If you are an iCloud+ subscriber who relies on Hide My Email to keep newsletters, shopping accounts, or professional contacts separate from your main address, this bug means that any of those parties could potentially discover your real email. That defeats the purpose of the feature and exposes you to increased spam, phishing attempts, or unwanted targeting. The risk is especially high for people who use Hide My Email for sensitive registrations or to avoid data brokers linking their aliases.
It’s important to note that not every reply will leak the address—it depends on how the recipient’s email system handles headers. But the bug is reliably exploitable, and Apple has acknowledged it internally, according to sources cited by SC Media. Until a fix is issued, the feature is not trustworthy for privacy-sensitive use.
How to check if your real address was leaked
There is no easy way to know for sure whether a specific alias has been compromised, because you can’t control what recipients see on their end. However, you can watch for signs:
- Unexpected emails landing in your real inbox that you only gave out via an alias.
- Increased spam or phishing messages sent directly to your main address after using Hide My Email somewhere.
- Notifications from services that you signed up for using an alias, mentioning your real name or other identifiers that shouldn’t be linked.
If you notice any of these patterns, it’s possible that alias has leaked your real address.
What you can do right now
Until Apple releases a fix, you have a few practical options to reduce your exposure.
1. Stop using Hide My Email for anything sensitive
The most straightforward step is to pause use of the feature for new accounts where you want to protect your privacy. For existing aliases, consider them potentially compromised and treat them accordingly.
2. Review and delete vulnerable aliases
Go to your iCloud settings (on iPhone, iPad, or Mac) under “Hide My Email” and review the list of active aliases. For any that you no longer need, delete them. For important accounts that were set up with Hide My Email, consider updating the email address to a different, more reliable alias (see option 4).
3. Use a different alias service temporarily
If you rely on email aliases for privacy, consider using a dedicated service like SimpleLogin (now owned by Proton) or AnonAddy. Both are open-source and allow you to self-host if desired. These services do not have the same bug and let you create unlimited aliases for free or for a small subscription.
4. Turn off the feature in apps that integrate with it
Some third-party apps automatically offer Hide My Email during sign-up. Until a fix is confirmed, it’s safer to manually enter an alias from another service or use a separate email account for sign-ups.
5. Watch for Apple’s update
Keep an eye on Apple’s system status page and your device’s software updates. Once a fix lands in iOS, iPadOS, macOS, or iCloud settings, update promptly. The SC Media report indicates that Apple is working on a resolution, but no timeline has been announced.
Long-term alternatives
If you feel burned by this bug, you may want to move away from Hide My Email entirely. Apple’s offering is convenient because it’s built in, but it lacks transparency and, as we’ve seen, reliability. Third-party aliasing services are more mature and openly document their security practices. You can also use a dedicated email address from a provider like ProtonMail or Tutanota for sign-ups, and never use it for personal communication—that way, a leak of that address doesn’t expose your primary inbox.
For users who simply need a quick way to avoid spam, a secondary free Gmail or Outlook account used only for sign-ups also works, though it requires more manual management.
Sources
- SC Media: “Apple’s ‘Hide My Email’ feature reportedly has a year-old bug that reveals real email addresses” (July 2, 2026)
- Apple Support: Hide My Email overview (updated regularly)
This article was written to provide practical guidance based on publicly available information. The bug details are as reported by SC Media; Apple has not issued an official statement on the record. Check your device settings and stay alert for future updates.