Apple’s Hide My Email bug may expose your real address — what to do now

If you use Apple’s Hide My Email feature to keep your personal inbox private, a recently disclosed bug might have undone that protection without you noticing. According to a report from SC Media on July 2, 2026, the flaw has existed for at least a year and can reveal your actual email address when you reply to a message forwarded through the service. Apple has not yet publicly acknowledged the bug or released a fix, so users need to take some steps on their own for now.

What is Hide My Email and how it normally works

Hide My Email is a feature available to iCloud+ subscribers. It generates unique, random email addresses that forward messages to your real iCloud inbox. You can create as many as you need for sign-ups, newsletters, or one‑time use. When you reply to a forwarded email, your reply normally appears to come from the same random address, keeping your real address hidden. That is the intended behaviour.

What the reported bug does

The bug, described in the SC Media report, appears when you reply to an email that was forwarded through a Hide My Email address. Instead of keeping the reply tied to the random alias, the system sometimes attaches your actual iCloud email address to the outgoing message. The person you’re replying to then sees your real address in the “From” field.

It’s unclear how widespread the issue is or under exactly which conditions it triggers. The report suggests it has been present for roughly a year, meaning many users could have inadvertently exposed their primary email without knowing it.

Why it matters

If you rely on Hide My Email to avoid spam, maintain anonymity, or compartmentalise different parts of your online life, this bug undermines that purpose. Once your real address is out in the open, it can be sold, added to mailing lists, or used for targeted phishing. The exposure also defeats the point of using a relay service in the first place.

How to check if you were affected

You can look for signs of accidental exposure by reviewing your sent messages:

  1. Open the Mail app on any device signed into iCloud.
  2. Go to your Sent mailbox.
  3. Look for any replies you sent through a Hide My Email alias.
  4. Check the “From” field on each reply. If it shows your actual iCloud email instead of the random alias, your real address was revealed.

Also watch for an unusual increase in spam or unexpected emails arriving directly in your iCloud inbox – that could be a downstream consequence of an earlier exposure.

What you can do right now

  • Disable Hide My Email temporarily. You can turn off the feature in your iCloud settings. While not a perfect solution, it stops new replies from being sent through the potentially buggy relay. (You’ll need to manage any existing aliases manually.)
  • Review your most recent replies. If you find any that leaked your real address, consider changing the email address associated with that service or letting the contact know you made a mistake.
  • Change your iCloud email alias. If you’re worried about continued use, create a new main alias for your iCloud account and update important accounts to use that instead. This doesn’t undo past leaks but limits future risk.
  • Monitor your inbox for suspicious activity. Keep an eye on emails you don’t recognise, especially those that ask for personal information.

Longer‑term steps

The most reliable fix will come from Apple. Until a patch is released, you can:

  • Avoid replying to messages forwarded through Hide My Email. Use the original alias address (if you still have access) or create a new one.
  • Consider a temporary alternative. Services like DuckDuckGo’s Email Protection, Firefox Relay, or SimpleLogin (now owned by Proton) offer similar forwarding functionality with different privacy guarantees. Each has its own strengths and limitations, so read their privacy policies before switching.

When it’s safe to resume using Hide My Email

Once Apple confirms a fix and pushes an update, you can safely re‑enable the feature. In the meantime, the cautious approach is to treat every reply as a potential leak and act accordingly.

Sources

  • SC Media, “Apple’s ‘Hide My Email’ feature reportedly has a year-old bug that reveals real email addresses,” July 2, 2026.
  • Apple Support documentation on iCloud+ and Hide My Email (general reference for feature behaviour).