Apple’s Hide My Email service contains a security flaw that allows attackers to discover users’ actual email addresses, defeating the entire purpose of the paid privacy feature. According to a security researcher who reported the vulnerability to 404 Media, the system that was supposed to keep people’s real emails hidden can be exploited by people who want to find out who users actually are.
Hide My Email launched in 2021 as part of Apple’s privacy toolkit. Users pay annually for the service, which generates temporary email addresses that forward messages to their real inbox. The feature was designed to let people sign up for websites and apps without revealing their actual email address, reducing spam and protecting identity. Instead of providing a website with their real email, users get a random address that still receives all messages.
But the system has a critical flaw. Attackers can exploit a gap in how Apple built Hide My Email to uncover the real email address hidden behind the temporary one. “Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” the researcher told 404 Media.
This vulnerability matters because privacy features only work when they actually protect users. Millions of Apple customers pay for Hide My Email believing it shields them from tracking and unwanted contact. If attackers can bypass it and find real addresses, that protection disappears. Once someone has a person’s actual email, they can track them across multiple websites, send targeted spam, or launch phishing attacks designed specifically for that person.
The flaw reveals a broader problem: the gap between what companies promise and what their systems actually deliver. Many people trust Apple because the company markets itself as privacy-focused and charges for privacy features. But this vulnerability shows that paying for protection doesn’t guarantee it works.
Apple has not released a public statement about fixing the flaw or how long it has existed. Users currently using the service won’t know if their real addresses have already been exposed through this vulnerability. The company typically addresses security issues quietly, but users need to know if their paid privacy tool has been compromised.
The incident is a reminder that no privacy tool is perfect. Even from companies known for security, vulnerabilities can exist for extended periods. Anyone relying on Hide My Email or similar services should assume their real address could potentially be discovered and plan accordingly.
Source: https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses

