Security Roundup: Apple’s Hide My Email Service Fails to Hide Your Email
Apple's Hide My Email feature, introduced in 2021, generates masked email addresses that forward messages to users' actual inboxes whilst protecting their identity from third parties. However, security research disclosed this week reveals a significant flaw in the system: the masked addresses can be reverse-engineered to expose the real email addresses they were designed to conceal. Testing confirmed that every masked address examined was vulnerable to this exploitation.
The researcher who discovered the vulnerability initially reported it to Apple in mid-2025, with the company claiming to have resolved the issue by spring 2026. Subsequent testing demonstrated the flaw remained unfixed. When the researcher followed up several months ago, Apple indicated the investigation was still ongoing but has not responded to media inquiries. The vulnerability has remained exploitable for at least a year, leaving users who believed they were protected actually exposed.
- Apple's Hide My Email privacy feature contains a flaw allowing real email addresses to be recovered from masked addresses designed to conceal them
- A researcher reported the vulnerability to Apple over a year ago; despite claiming to address it, the flaw remains unfixed and exploitable
- Testing demonstrated 100% of masked addresses tested could be compromised to reveal the associated real email address