Apple's "Hide My Email" feature is essential to my privacy and security setup. Almost every time I create a new login account, particularly when I don't fully trust the company behind it, I mask my real email address with Hide My Email. If the company in question turns out to be shady and decides to sell my email address, or suffers a data breach and leaks it instead, no worries: They never had my real email to begin with. At least, they're not supposed to.Hide My Email has a privacy and security problem As reported by 404 Media's Joseph Cox, Hide My Email has a vulnerability that can expose the email addresses behind Hide My Email's aliases. The details here are slim, and that's by design: This is an active security vulnerability, and revealing too much could spread the exploit even further. But according to Tyler Murphy, co-founder of EasyOptOuts, "almost anyone" can tap into this vulnerability to learn the real email address behind any Hide My Email proxy. If you're not aware of how Hide My Email works, here's a quick rundown: Let's say your email address is yourname@gmail.com. When you sign up for a new account somewhere, Hide My Email can generate an "alias" for you. In this case, we can pretend the feature came up with sizzle_lax_3y@icloud.com (they almost always look something like this). You sign up for the new account with that alias, rather than your real email address, and all emails to that alias automatically funnel to your legitimate inbox. Functionally, it's like you gave the company your real address. But should you need to sever ties with the company, you can simply kill the alias, and your real email address remains anonymous. The issue here is that through “free, publicly accessible people-search sites," bad actors can figure out what your real email address is through the alias. Cox says they tested the findings with Murphy. They sent Murphy one of their Hide My Email aliases, and within five minutes, Murphy replied with Cox's actual email address. While Murphy says tests have been limited, the exploit has worked on every alias he's tried. That doesn't bode well for Hide My Emial's security. Apple knows about the Hide My Email exploit What's more, Apple has apparently known about the flaw since June of 2025. Murphy says he contacted the company about the vulnerability more than a year ago. Apple did respond a month later, confirming it was looking into the problem. Then in March of 2026, Apple replied, announcing it had patched the flaw.Seeing as it's currently July, that clearly wasn't the case. Murphy contacted Apple again to let them know Hide My Email still had this vulnerability. Apple responded that it was again looking into it, and confirmed as recently as May that the investigation is ongoing. Apple did ask Murphy not to disclose the issue until it had patched it, to avoid putting customers at risk. But Murphy said he didn't feel comfortable letting users continue to rely on Hide My Email without knowing about the risks. Hide My Email is already in troubleThis story comes just weeks after TechCrunch reported that Apple was changing Hide My Email for the worse. According to the report, Apple plans to change the domain of Hide My Email aliases from @icloud.com to @private.icloud.com. This significantly reduces the effectiveness of the feature, as it lets everyone know you're using an alias. As it stands now, aliases are indistinguishable from typical iCloud email addresses (perhaps other than the odd names), because the domains are the same. By labeling alias domains with "private," humans and bots alike will know this isn't your real address, and may block your aliases when creating accounts. Apple hasn't actually rolled out these changes yet, but any way you look at it, Hide My Email is having a bad month. I'm not going to overhaul my entire workflow based on these reports just yet, but I do hope Apple takes appropriate action and patches the flaw as soon as possible. (And, for good measure, drops its plans to change Hide My Email domains.)