Your data. Your choice.

If you select «Essential cookies only», we’ll use cookies and similar technologies to collect information about your device and how you use our website. We need this information to allow you to log in securely and use basic functions such as the shopping cart.

By accepting all cookies, you’re allowing us to use this data to show you personalised offers, improve our website, and display targeted adverts on our website and on other websites or apps. Some data may also be shared with third parties and advertising partners as part of this process.

Samuel Buchmann
News + Trends

Apple’s ‘Hide My Email’ feature has been affected by a vulnerability for a year

Samuel Buchmann
2.7.2026
Translation: machine translated

According to a security researcher, it is possible to deduce the real addresses from the supposedly anonymous alias addresses used by Apple’s iCloud service.

Apple’s iCloud service «Hide My Email» appears to have had a serious vulnerability for a year. According to «404 Media», cybercriminals can deduce the real email address underlying the alias generated by Apple.

The issue was discovered by security researcher Tyler Murphy. He reported the vulnerability to Apple in June 2025 and, according to his own account, provided detailed information on how to reproduce it. «404 Media» verified the vulnerability. In tests involving volunteer users, 100 per cent of the aliases tested were found to be vulnerable. The publication is deliberately withholding technical details because, as things stand, the vulnerability remains exploitable.

No solution despite repeated reports

Hide My Email is part of the paid iCloud+ plan and generates random alias addresses that forward emails to the actual inbox. The function is designed to protect against spam, data leaks and identifiability. The service is similar to common disposable email addresses, but is integrated directly into the Apple ecosystem. If you rely on this function for your protection, that protection could now be at risk: publicly accessible search services allow further personal information to be deduced from a real email address.

According to Murphy, Apple confirmed receipt of the report in 2025 and claimed in March 2026 that the vulnerability had been fixed. However, Murphy found that it still exists and provided further evidence. By May 2026, Apple had reportedly stated that the incident was still under investigation – and asked the researcher not to publish the information so as not to put customers at risk. After more than a year without any visible fix, Murphy decided to disclose the issue.

There is still no public statement or timetable for a security update. According to Murphy, Apple has indicated to him that an update «is expected in the coming weeks».

Header image: Samuel Buchmann

2 people like this article


User Avatar
User Avatar

My fingerprint often changes so drastically that my MacBook doesn't recognise it anymore. The reason? If I'm not clinging to a monitor or camera, I'm probably clinging to a rockface by the tips of my fingers.


News + Trends

From the latest iPhone to the return of 80s fashion. The editorial team will help you make sense of it all.

Show all

Comments

Avatar