Apple’s Hide My Email Has a Bug That Reveals Your Real Address — Here’s What to Do

If you use Apple’s Hide My Email feature to keep your real inbox private, a newly reported bug may have been quietly undermining that protection. Security publication SC Media disclosed on July 2 that a flaw in the iCloud+ service, present for roughly a year, can expose your actual iCloud email address when you send messages through the system.

Apple has not yet publicly acknowledged the issue or issued a fix. Until it does, here’s what we know and what you can do to limit the risk.

What Happened

Hide My Email lets iCloud+ subscribers generate unique, random email addresses that forward to their real inbox. The idea is to prevent third parties from getting your primary email address when you sign up for newsletters, services, or online accounts.

According to the SC Media report, the bug surfaces when you use Hide My Email to reply to or compose an email that gets forwarded to a non-Apple email address (for example, a Gmail or Outlook account). In certain cases, the recipient sees your actual iCloud email address instead of the anonymous relay address in the email headers or “From” field. This defeats the entire purpose of the feature.

The report states the bug has existed for about a year, meaning many users could have inadvertently leaked their real address without knowing. The exact triggering conditions are not fully detailed, and Apple has not commented. It’s unclear whether the problem affects all Hide My Email users or only those with specific forwarding rules.

Why It Matters

Hide My Email is a central privacy tool for anyone who uses iCloud+. If you rely on it to compartmentalize your online identities — separating shopping accounts from work logins, for instance — a leak of your real email address erodes that separation. Once a spammer, marketer, or data broker gets your actual address, the protection from the alias is gone.

The bug also undermines trust in Apple’s privacy promises. The service is designed to be transparent: you send an email from an alias, and the recipient should only see that alias. When the system fails silently, users have no way to know their information was exposed.

For journalists, activists, or anyone managing a threat model, even a single leak can be serious. But for the average user, the main practical impact is an increase in spam and phishing attempts directed at your real email.

How to Check If You Were Affected

There is no official tool to audit your Hide My Email activity for leaks. But you can do a few manual checks:

  • Review email headers from recipients you trust. If you have a friend or a second email account, send a test message to a non-Apple address using your Hide My Email alias. Ask the recipient to show you the full email headers. Look for fields like Return-Path, From, or Reply-To. If your iCloud email address appears (e.g., [email protected]) instead of the random alias ([email protected]), you may have been exposed.

  • Check your iCloud “Hide My Email” settings. Go to Settings > [your name] > iCloud > Hide My Email. Review the list of aliases. If you see any that were used recently, note the forwarded address and send a test.

  • Watch for suspicious email. If you start receiving spam or phishing emails at your iCloud address that seem related to accounts where you used an alias, that’s a red flag.

Keep in mind that a negative test doesn’t guarantee you’re safe — the bug may be intermittent.

What to Do Now

Since Apple hasn’t released a fix, you have some temporary options:

  1. Stop using Hide My Email for important accounts. For banking, social media, or other sensitive services, use a different approach until the bug is patched. Consider creating a dedicated email alias with a third-party provider like SimpleLogin or Fastmail.

  2. Avoid replying to forwarded emails. If the bug is related to composing new messages or replies, the safest workaround is to only use Hide My Email for one-way signups. When you need to respond to a message sent to your alias, log in directly through the service’s website instead.

  3. Monitor Apple’s support pages for an official update. Bookmark Apple’s security advisories or subscribe to RSS feeds for iCloud changes.

  4. Consider deleting old aliases that you no longer need. If an alias was used before the bug was discovered, it may have already leaked your address. Deleting it won’t undo the leak, but it stops future forwarding.

Sources

  • SC Media, “Apple’s ‘Hide My Email’ feature reportedly has a year-old bug that reveals real email addresses,” July 2, 2026.
  • Apple Support, “Hide My Email,” https://support.apple.com/en-us/HT210425. (Note: Apple last updated this page in 2025; no advisory about the bug was posted as of this writing.)