A new report is putting Apple’s Hide My Email in the spotlight. According to security researchers, the feature designed to make your email private can also do the exact opposite.
In this report, cybersecurity experts answer: Should you be worried? What changes are coming to Hide My Email? And, more importantly, what can you do about it? Let’s dive in.
Is the Hide My Email vulnerability something you should worry about?
On July 1, 404 Media reported a vulnerability in Hide My Email that could allow attackers to see your real email. This is naturally a matter of concern because the sole function of Hide My Email is to not reveal your primary email, as a means of added protection against scams, spam, and phishing.

This vulnerability is not new, either. About a year ago, Tyler Murphy, co-founder of EasyOptOuts, discovered this vulnerability and reached out to Apple in June 2025 for them to fix it. Apple asked Murphy not to reveal how the vulnerability works because “attackers and scammers could use that information to exploit the weakness.”
A year went by, and no fix was issued by Apple. Murphy then decided to reach out to 404 Media, which ran a report on the issue.
The 404 Media report spread through tech media, but it left Mac users with little information to go on. Because the hack is yet to be disclosed, we will refrain from explaining the possible ways in which this vulnerability could work. But this leaves us with the elephant in the room: How serious is this? Should users be worried?
“If you use [Hide My Email] to keep your real address away from marketers and spam, which is most people—the practical risk here is limited and manageable,” Mona Rajhans, Senior Manager of Software Engineering at Palo Alto Networks, told us.
“If you use it specifically because you are trying to stay anonymous from someone who poses a personal safety risk, that changes the calculus significantly, and you should treat your relay addresses as potentially compromised until Apple confirms the fix is complete,” said Rajhans.
The real concern: Apple’s timeline
Rajhans said the timeline is frustrating, calling out Apple for leaving a reported vulnerability unpatched for more than a year.
“Users were not informed,” said Rajhans. “That is the part worth being concerned about.”
Trevor Horwitz, CISO and Founder at TrustNet, agreed that the extent of the risk depends on how you use Hide My Email.
If the average user’s real email address becomes known, they might simply receive more unwanted emails, said Horwitz. For other users, it’s another story.
“For journalists, executives, activists, or anyone who relies on Hide My Email to help separate their identity from online accounts, the potential impact is considerably greater,” said Horwitz.
For journalists, executives, activists, or anyone who relies on Hide My Email to help separate their identity from online accounts, the potential impact is considerably greater.
Trevor Horwitz, CISO and Founder at TrustNet
Once an attacker knows the underlying email address, it becomes easier to correlate that identity across other online services. They can then potentially use it as part of targeted phishing or social engineering attacks, Horwitz explained.
“The whole purpose of Hide My Email is privacy.”
Aimee Simpson, Director of Product Marketing at Huntress, highlighted that the evidence today signals that this vulnerability is a privacy issue, not a hacking-entry vulnerability.
“That means that even if something were truly wrong with the privacy of Hide My Email, accounts aren’t going to be at risk of possession/forced takeover,” said Simpson.
However, Simpson noted that the feature was not delivering on its basic function.
“The whole purpose of Hide My Email is privacy,” said Simpson.

How does Hide My Email work? And why you should care
As Apple explains, Hide My Email generates unique, random email addresses when users sign up for accounts, websites, or services. These email addresses are configured to automatically forward any incoming email to your real personal email inbox. You can read and respond directly from your main inbox, acting as a relay.
“It’s made to separate a user’s identity from the services they sign up for,” said Simpson.
“If an attacker can find the real email address behind the service, then the whole privacy angle that this platform revolves around falls away,” Simpson added.
Apple is unifying Sign in and Hide My Email
In June 2026, in a developer’s note, Apple announced that it will unify the email domains used by Sign in with Apple and iCloud+ Hide My Email under a single, shared domain: private.icloud.com.
App and website developers will have to make changes to their user sign-up tech stack thanks to these changes. They will now need to whitelist the new private.icloud.com domain so that anyone using this new domain is not rejected. This includes making account systems and email validation logic configuration tweaks.
Malwarebytes reported that this will only make Hide My Email “less useful for some users” and “easier for apps and websites to recognize that an email address was created with Hide My Email and potentially refuse to accept it during the sign-up process.”
If this sounds complex, you’re not alone. Experts agreed. And here’s how it connects to the Hide My Email vulnerability.
“In practical terms, this means the addresses your relay emails come from will look more consistent regardless of whether you signed up via Hide My Email or Sign in with Apple, ” said Rajhans.
“For users, it is mostly invisible plumbing,” Rajhans added. “Watch for whether your existing relay addresses continue to function normally; if you start missing emails you expected, check that the transition did not break any active addresses.”
Apple did not announce these changes as a fix to the Hide My vulnerability. Rather, the unification into one domain appears to be an effort to standardize both services under a single domain.
“Your existing aliases will continue working, and new aliases will simply be created under the new shared domain,” Horwitz said.
“Overall, I see this primarily as an effort by Apple to simplify and standardize its privacy infrastructure rather than a response to the recently reported vulnerability,” said Horwitz.
So, what can Apple users do about the Hide My Email vulnerability?
Rajhans from Palo Alto Networks said that while the Hide My Email vulnerability is a problem, abandoning the feature entirely would be an overreaction. Instead, users can avoid reusing their real email across services and use a relay instead.
For those who already have relay addresses tied to anything sensitive, like financial accounts or healthcare logins, reviewing those and considering rotating them, now that the domain consolidation is underway, is a good idea, Rajhans added.
“Third, turn on 2-factor authentication everywhere it is available,” said Rajhans. “If someone does learn your real email address, 2FA is what stops that from becoming account access.”
Simpson agreed that “Apple users don’t need to panic.” That said, you should continue to employ best practices around your accounts, like MFA, strong passwords, password managers, or additional biometric verifications to keep accounts as secure as possible.
Horwitz also agreed. “I wouldn’t stop using Hide My Email based on these reports alone,” said Hortwitz. Good cybersecurity is built in layers, he added, highlighting privacy features, multi-factor authentication, strong passwords, and user awareness.
Get Moonlock. It ships with Real-Time Protection, as well as a phishing and Scam Detector.
The Moonlock security app, also built to provide you with layers of security, ships with features specifically designed for email security and privacy.
The Malware Scanner and Real-Time Protection tool—which checks everything you interact with, including emails—can flag and shut down malware and emerging threats, while the Scam Detector can check any email for phishing or scams.

Using the Scam Detector is easy; just copy the email or text you want to analyze and paste it into the text box, and the Moonlock app will tell you if it’s dangerous and why.

Check it out yourself and test-drive Moonlock for free for 7 days. See how it feels on your end.
Final thoughts
The Hide My Email vulnerability appears to be a privacy issue more than a cybersecurity hack concern. However, if a feature is designed to hide your email and does the opposite, that becomes a problem.
Fortunately, as we wait for Apple to issue the fix, experts have explained in this report how serious it is, whether you should be worried, and what you can do to stay safe. Take the time to learn more about how your tech works, and keep up with Mac security and privacy news.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac and macOS are trademarks of Apple Inc.