Apple’s Hide My Email service, designed to protect user privacy by masking real email addresses, has a critical vulnerability discovered in 2025 that still remains unresolved, enabling real email disclosure through ‘random’ Apple-generated addresses.

  • Apple Hide My Email aliases can be linked back to original email addresses.
  • A 19-year-old alleged Scattered Spider hacker extradited to face U.S. charges.
  • India urges WhatsApp to halt username adoption over fraud concerns.

What happened

Apple's 'Hide My Email' service, introduced in 2021 to improve online privacy by generating random email aliases forwarding to users' actual inboxes, has a significant security flaw. According to security researcher Tyler Murphy and reports from 404 Media, the feature leaks real email addresses. Tests showed that all generated Hide My Email addresses were vulnerable to de-anonymization, linking the alias back to the original Apple email account.

This vulnerability was discovered in June 2025, reported to Apple, and supposedly addressed by March 2026. However, ongoing testing has shown the flaw persists. Apple has not publicly acknowledged or fixed the issue. The exact technical details of the bug remain undisclosed, but it undermines the fundamental privacy promise of the service.

Why it matters

Hide My Email is a core privacy tool for Apple's ecosystem, intended to protect users from data collection and unsolicited contact by masking their actual email identities. The exposure of real email addresses compromises this protection, potentially leading to increased spam, phishing attacks, and data privacy breaches for users relying on the service.

The prolonged unresolved nature of the flaw raises concerns about Apple's responsiveness to critical security issues, as well as the robustness of privacy feature implementations. As individuals and companies increasingly depend on digital privacy tools, vulnerabilities like this highlight ongoing risks in trusted platforms.

What to watch next

Apple’s next steps on this vulnerability will be closely watched, particularly whether it will release a timely security update or provide transparency on the issue. Users of Hide My Email should monitor announcements and consider additional precautions when handling sensitive communications through the service.

Meanwhile, related security stories signal evolving cyber threats: a young hacker affiliated with the Scattered Spider group was extradited to the U.S. on serious charges, underscoring ongoing government actions against cybercrime. In parallel, India’s regulatory authorities have demanded WhatsApp halt its username rollout, citing potential fraud risks tied to increased anonymity. These developments reflect broader tensions in digital security and privacy globally.

Source assisted: This briefing began from a discovered source item from Wired. Open the original source.
How SignalDesk reports: feeds and outside sources are used for discovery. Public briefings are edited to add context, buyer relevance and attribution before they are published. Read the standards

Related briefings