AppleInsider can confirm that it’s pretty easy to get somebody’s real email from Hide My Email, but it’s also not much of a concern. If you’re using the feature as intended as a spam filter, there’s really no issue at all.
The Hide My Email feature allows iPhone, Mac, and iPad owners to sign up for websites and services using an anonymous email address. All emails sent to that address are then invisibly forwarded to the user’s real email address, preserving their privacy.
However, it has been reported that the feature can be bypassed, allowing someone to see a user’s real address. Apple is yet to fix the issue, despite having known about it for more than a year.
The steps required to bypass Hide My Email have not been made widely available. But we’ve now learned how it works.
A trivial process
We won’t be sharing the steps required to identify the real address behind a Hide My Email one. Given the fact that the exploit is still live and Apple is seemingly unable, or unwilling, to fix it, sharing the details would be problematic for obvious reasons.
However, what we will say is that bypassing Hide My Email is a trivial task. It’s something that anyone would be able to do, assuming that they know the fake address created by the Hide My Email feature.
With that in mind, it’s all the more incredible that the issue is yet to be addressed by Apple.
Apple claimed that it had done just that in March 2026. But testing by Tyler Murphy, the person who originally discovered the flaw, found that not to be the case.
Murphy was also told at the end of May 2026 that a fix was “expected in the coming weeks.” As of July 2026, that fix has yet to arrive.
Limited risk
There is a potential reason that Apple may not be treating this issue as a priority. It’s unclear just how much of a privacy risk this issue is.
Places like grocery delivery venues, media sites, and so forth don’t care that much about your real email, and aren’t going to go diving looking for it with an exploit. You also probably won’t get outside spam from them to the email alias generated, unless you’ve opted in to that.
As mentioned, anyone wishing to gain someone’s real email address must first know the address created by Hide My Email. That’s likely to severely limit the attack vector.
That hasn’t stopped a new lawsuit from being filed, however. The ambulance-chasing complaint accuses the company of false advertising, fraud, breach of contract, and other violations tied to Apple’s marketing of Hide My Email, without any real damage to the filer or class.
Intended use meets privacy confusion
“I signed up with hide my email on my iPhone on my home network after following a link from social media” is like putting a screen door on a submarine, and not really the intent of the feature. It’s also not really intended to impenetrably shield email senders from consequences of their actions or words, sent across the internet.
After all, we already know that Apple surrenders identity of the real sender of an email hidden by Hide My Email with a subpoena.
It’s also vital to remember what the Hide My Email service is for, and how Apple was very clear at release on when and how to use it. It’s unclear whether the filer of the lawsuit is aware of either.
At its core, Hide My Email creates a new email address that Apple device owners can use to sign up for online services and websites. People can use that address rather than give these services and websites their real address.
The use case is simple. If our fictitious Apple customer then receives spam messages to their Hide My Email address, they immediately know. The address was leaked by, sold by, or stolen from, the one website or service that it was given to.
At this point, the user has a choice. They can delete the compromised Hide My Email address and give the website or service a new one. Or, they can ditch it entirely and use a different website or service. They’d also give it a new Hide My Email-created address, too.
Either way, the compromised address would be deleted, stopping any spam emails in their tracks.
The catch? If the spammer is the determined sort, they could use this exploit to learn the user’s real email address. So long as they did it before the compromised Hide My Email address was disabled, of course.

