Anyone using Apple’s “Hide My Email” feature for app registrations, online services, or newsletters should be cautious right now. The feature is designed to prevent your email address from being shared with providers. Instead, a randomly generated alias address is used, which forwards incoming messages to your actual inbox. However, this protection does not seem to work as intended in all cases.
Security Flaw in Apple’s Mail Alias
With “Hide My Email,” Apple creates random alias addresses. Emails are forwarded to the actual inbox without shops, apps, or other services seeing the real email address. A reported security flaw, however, seems to challenge this principle.
According to a report by the online magazine “404 Media,” security researcher Tyler Murphy, co-founder of the privacy service Easy Opt Outs, has found a way to associate Apple aliases with the underlying real email addresses. Murphy reportedly informed Apple about the issue back in June 2025. The company has reviewed the notice multiple times, but no apparent solution was available at the time of publication.
iPhone Users, Take Note: Here’s the Data Apple Collects on You
Mark Zuckerberg’s Phone Number Accidentally Released
Test Confirms the Issue
The security flaw was also verified by the “404 Media” editorial team. They used their own hidden email address for testing. Murphy was then able to correctly determine the associated real address.
Also of interest: Is This the Biggest Apple Leak in History?
The detailed workings of the method are deliberately not described. The flaw is reportedly still exploitable. Publishing the technical details could further increase the risk.
Why the Flaw Is Problematic
Those using an alias address typically want to prevent a service from storing the actual email address or linking it with other accounts. If this association is successful, the protective function loses its primary purpose. Instead of obscuring identity, the alias could itself become a clue to the person behind an account.
Murphy also justifies the publication of his findings. Users should know that they may not be able to fully rely on “Hide My Email” at present. This is especially true if users employ the feature not only to protect against spam but also to separate different profiles or sign up for less trustworthy services.
Until Apple addresses the reported security flaw, users should not consider the feature a reliable protection. There is no official statement on the allegations yet, according to 404 Media.