Apple Hide My Email Bug May Leak Real Addresses — Patch or Disable Now
Apple's Hide My Email Feature Has a Privacy Vulnerability Worth Acting On
A newly disclosed bug in Apple's Hide My Email service may expose users' real email addresses — the opposite of what the privacy feature is designed to do. The researcher who found it describes a possible disclosure vulnerability that could allow the underlying Apple ID address to leak through what should be an anonymizing relay.
What Happened
Security researcher Jeff Johnson at Lap Cat Software published findings on July 2, 2026 documenting unexpected behavior in Apple's Hide My Email system. Hide My Email, part of iCloud+, generates random @icloud.com relay addresses so users can sign up for services without exposing their real email. The bug reportedly creates conditions under which the actual address behind the alias can be revealed — potentially to senders, services, or third parties depending on how the leak manifests.
Apple has not yet issued a public statement or assigned a CVE at time of writing.
Why It Matters
Hide My Email is a security and privacy control, not just a convenience feature. Users rely on it specifically to:
- Prevent email-based tracking and cross-service identity correlation
- Shield their Apple ID address from data brokers and breach exposure
- Contain spam to a disposable alias they can kill without changing their primary address
If the real address leaks, every assumption about compartmentalization breaks. Anyone who used Hide My Email when signing up for services that later suffered breaches now has a problem: the "throwaway" address that was supposed to be the blast shield was actually their real one.
For organizations using Apple devices at scale — or for individuals who built privacy workflows around this feature — this is a meaningful control failure, not a theoretical one.
What to Do
If you use Hide My Email:
- Audit your aliases now. Go to
Settings → [Your Name] → iCloud → Hide My Emailand review which services are linked to which relay addresses. - Treat active aliases as potentially compromised. If any of those services are sensitive (banking, healthcare, legal), consider rotating the alias or contacting the service to update the address on file.
- Watch for unusual email reaching your real Apple ID address from senders you only gave an alias to — that's the clearest indicator the leak is real in your specific case.
- Disable Hide My Email temporarily if you handle particularly sensitive communications through it, until Apple patches and confirms the fix.
- Monitor Apple's security advisories at support.apple.com/en-us/100100 for an official patch or CVE assignment.
The full technical write-up is at lapcatsoftware.com. Apple's typical patch cycle for iCloud-side issues is server-side and doesn't require a device update — but there's no confirmation yet that a fix has been deployed.
Synthesized by Claude · sanity-checked before publish.