Apple's Hide My Email flaw reveals your real address 'in five minutes'

A popular tool on iPhones and other Apple devices that hides emails has a flaw that reveals users’ personal addresses, researchers claim.Hide My Email creates disposable @icloud.com email addresses made from random letters and numbers.The identity tool, available for Cloud+ subscribers, is designed to ‘keep your personal email address private’, according to Apple.

But researchers from the digital privacy firm EasyOptOuts found flaws in Hide My Email, which they claim does the exact opposite.The bugs allow people to peel back the Hide My Email address to reveal a user’s real one.One flaw was discovered and reported to Apple in June 2025, with Apple acknowledging it the following month, according to EasyOptOuts.

The team found another vulnerability in March, which Apple fixed.‘About a month ago, we realised that the vulnerabilities’ severity and scope are greater than we initially thought,’ EasyOptOuts said this last week.‘We’re publicly disclosing the existence of the vulnerabilities now because we think Hide My Email users deserve to know that their email addresses may not actually be hidden.

‘We want people to be able to account for this risk when deciding when and how to use Hide My Email.’ While Apple said in June that the issue had been patched out, tests by 404 Media found it was still there last Monday.Journalist Joseph Cox created a fake Apple email and sent it to EasyOptOuts’s co-founder, Tyler Murphy – just five minutes later, Murphy sent Cox his personal address.Murphy said that his team’s ‘limited tests’ showed ‘100%’ of Hide My Email addresses were exploitable.

Neither researchers nor the tech outlet revealed the hack, fearing that cyber crooks could exploit it to nab personal emails.Why is this a bad thing? Emails are digital breadcrumbs for companies – and cybercriminals.Your email address is linked to your personal data, tacked on by companies as you browse for clothes or scroll on TikTok.

When you sign up for an account on a shoe brand’s website, for example, sneaky advertiser algorithms transform your email into a code.This string of digits and characters, called a token, travels with your email address.It’s why you might see shoe ads while scrolling on other sites.

Data brokers – companies that collect and sell information about shoppers, sometimes on the dark web – upload emails to the online equivalent of the Yellow Pages phonebook.By doing so, people can look up your email address and be shown intimate profiles about you containing, among other things: Your phone number.Home address social media profiles.

Marital status.If and where you went to university.Your recent purchases.

Your interests, like if you play golf, watch cat videos or donate to charities.That’s a lot of info.Aras Nazarovas, a senior information security researcher at Cybernews, told Metro that this is why your personal email is far more interesting to hackers than your mock one.

‘Hackers may cross-reference the leaked emails against data from previous breaches to gather more information about potential victims, or combine them with publicly available information, such as social media profiles, to build detailed victim profiles,’ Nazarovas said.‘However, it is important to note that the exploit hasn’t been made public yet, so the actual impact is limited.This gives Apple an opportunity to fix the issue before it could be exploited at scale.’ Apple introduced Hide My Email in 2019, with users asked to make burner emails when using a third-party service, like filling out a form or signing up for a web newsletter.

Users can do so when signing up using their Apple ID to hide the email address linked to their Apple account.Trending Now British woman arrested for 'stabbing boyfriend' and claiming it was a suicide World 19 hours ago By Sarah Hooper Billionaire who wants to live forever and takes 54 supplements a day has incurable disease Bodies of two men missing for ten days found in car 'hidden by undergrowth' Teenager who drowned on Duke of Edinburgh trip was 'kind and left an immeasurable void' Whenever the website or app tries to contact you, it will email the phoney address and not your real email. Apple will let you know if they do and, if you consider it spam, you can easily delete your account and the email.Apple said in a note in June that it plans to start generating email addresses using the @private.icloud.com domain rather than @icloud.com.

Yet Apple users said the change will make it more obvious to third-party companies when someone uses a hidden email to sign up.Apple has been approached for comment.Get in touch with our news team by emailing us at [email protected].

For more stories like this, check our news page.MORE: Amazon Prime Day LIVE – final day rush for fans, blackout blinds and Diet Cok deals MORE: Apple makes change to iPhone that will make them way less attractive to thieves Comments Add as preferred source News Updates Stay on top of the headlines with daily email updates.This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Your information will be used in line with our Privacy Policy HomeNewsTech Related topics AppleCybercrimeiPhone

Read More
Related Posts