Apple's Hide My Email service is used by iCloud+ customers around the world to send and receive emails while keeping their personal, permanent email address private. The service generates random, unique email addresses to act as an intermediary between your actual email address and the people you're emailing. For example, you could be given the email address random.email.22@icloud.com to hide your real email address, realname@example.com. People use Hide My Email addresses to sign up for accounts and communicate while maintaining privacy and anonymity.
We've discovered vulnerabilities in Hide My Email that allow attackers to discover the meant-to-be-hidden address behind a Hide My Email address. We reported the issue to Apple over a year ago, and as of June 30, 2026, it still hasn't been fixed. About a month ago, we realized that the vulnerabilities' severity and scope are greater than we initially thought. We're publicly disclosing the existence of the vulnerability now because we think Hide My Email users deserve to know that their email addresses may not actually be hidden. We want people to be able to account for this risk when deciding when and how to use Hide My Email. Many thanks to Joseph Cox at 404 Media for acting as a trusted third party to verify and publicize the issue responsibly.
Here's a timeline:
To protect the privacy of Hide My Email users, we will not discuss or disclose the details of the exploits until they're fixed.
We hope that Apple will take steps to limit the attack surface area even before the vulnerability is fixed. Disabling creation of new Hide My Email addresses could be helpful. It also seems responsible to notify all Hide My Email users of the risk.
We invite Apple to work more closely and openly with us to resolve this as soon as possible.