When you register for a new online service, sharing your email address often means exposing yourself to spam, profiling or, in the worst cases, the consequences of possible data breaches. To limit these risks, Apple makes available to subscribers to iCloud+ the function “Hide my email”designed to create unique and random fictitious addresses that act as intermediaries between the user and websites or applications.
A vulnerability discovered by security researcher Tyler Murphyco-founder of EasyOptOutsa company specialized in the removal of personal data from so-called “data brokers”, which reported to Apple as it could undermine this very promise: in some circumstances, in fact, it would be possible trace the real email address hidden behind one of these aliases. The problem would have been reported to the Cupertino giant for a long time, but the definitive fix has not yet arrived.
How “Hide My Email” works
The “Hide My Email” feature is part of the services included in iCloud+ and is designed to prevent users from having to provide their personal email address every time they sign up to a site, make an online purchase or create a new account. A is automatically generated instead of the actual email random address associated with the iCloud domaincomposed of apparently meaningless words and characters.

Emails sent to this address are automatically forwarded to the user’s inbox, without the sender knowing the original address. This way, websites and applications only interact with the alias generated by Apple, while the real email address should remain hidden.
At any time you can also delete an alias or stop forwarding it, preventing you from receiving further messages. This is a particularly useful tool for reducing the amount of unwanted communications and limiting the dissemination of your personal data in the event that an online service suffers a IT breach. It is not a rare occurrence: in recent months, for example, there has been talk of the alleged data breach that would have involved around 89 million Steam accounts, a case that has brought attention to the importance of protecting one’s personal data even when registering for online services.
How the vulnerability was discovered
The vulnerability would allow connect some addresses generated by “Hide my email” to the corresponding actual email address of the user.
To verify the criticality, a new alias was created via the Apple service. Within a few minutes Tyler Murphy was able to trace the associated real email address, confirming the validity of the technique. In tests conducted by EasyOptOuts with a limited number of volunteers, all addresses analyzed were found to be vulnerable. However, this does not mean that every Apple account is certainly exposed or that the method can be applied to all users without distinction: the actual extent of the problem still remains to be clarified.
Cupertino has known about the problem for over a year
The most delicate aspect of the matter concerns the management of the report. The vulnerability was reported to Apple in June 2025along with the instructions needed to reproduce the problem. In the following months, the company confirmed that it had received the report and was working on a fix.
In March 2026 Apple would have communicated that the problem had been corrected, but subsequent checks carried out by the researcher would have shown that the flaw was still exploitable. In May, the company reportedly asked not to publicly disclose the details while the investigation continued, explaining that it was still working on the matter. The group led by Tim Cook would later confirm that the fix will be distributed in a future security updatewithout however indicating a precise date for the release. At the time the story was made public, the vulnerability was still present.
Details of the flaw have not been made public
Unlike many vulnerabilities that have already been fixed, in this case the technical details of the flaw were not disclosed. This is a common practice in the cybersecurity industry when a problem is still open: making all information public could facilitate any exploitation attempts before a fix is available.
For this reason Tyler Murphy shared the method with Apple, but avoided disclosing the complete technical description. The goal is reduce the risk of the vulnerability being exploited before the technical details can be used for any attacks.
