Apple's Hide My Email service is used by iCloud+ customers around the world to send and receive emails while keeping their personal, permanent email address private. The service generates random, unique email addresses to act as an intermediary between your actual email address and the people you're emailing. For example, you could be given the email address random.email.22@icloud.com to hide your real email address, realname@example.com. People use Hide My Email addresses to sign up for accounts and communicate while maintaining privacy and anonymity.
We've discovered vulnerabilities in Hide My Email that allow attackers to discover the meant-to-be-hidden address behind a Hide My Email address. We reported the issue to Apple over a year ago, and as of June 30, 2026, it still hasn't been fixed. About a month ago, we realized that the vulnerabilities' severity and scope are greater than we initially thought. We're publicly disclosing the existence of the vulnerability now because we think Hide My Email users deserve to know that their email addresses may not actually be hidden. We want people to be able to account for this risk when deciding when and how to use Hide My Email. Many thanks to Joseph Cox at 404 Media for acting as a trusted third party to verify and publicize the issue responsibly.
Here's a timeline:
- June 11, 2025: We discovered a vulnerability in Hide My Email and reported it to Apple. Apple confirmed that Hide My Email is "not intended by design to allow discovery of the hidden address" and asked for more details.
- June 13, 2025: We submitted a detailed report with reproduction instructions.
- June 20, 2025: We submitted more information, hoping it would help Apple troubleshoot.
- July 9, 2025: We reported a similar but different vulnerability that also allows hidden email addresses to be discovered.
- July 14, 2025: Apple sent their first message acknowledging that the vulnerabilities were under review.
- March 3, 2026: Apple reported that the vulnerabilities were fixed and asked us to verify.
- March 19, 2026: Using the reproduction instructions from our initial report, we determined that the vulnerabilities hadn't been fixed.
- May 22, 2026: We realized that the vulnerability may have greater severity and scope than we thought initially and reported this to Apple. Apple never acknowledged the report of increased severity.
- June 30, 2026: Apple again reported that the vulnerabilities were fixed and asked us to verify. We determined that the vulnerabilities hadn't been fixed.
To protect the privacy of Hide My Email users, we will not discuss or disclose the details of the exploits until they're fixed.
We hope that Apple will take steps to limit the attack surface area even before the vulnerability is fixed. Disabling creation of new Hide My Email addresses could be helpful. It also seems responsible to notify all Hide My Email users of the risk.
We invite Apple to work more closely and openly with us to resolve this as soon as possible.