Major Apple Bug Appears to Disclose All Real Emails for 'Hide My Email' Users
A vulnerability in Apple's privacy-focused iCloud Plus feature allows attackers to discover users' real email addresses.
- A bug in Apple's Hide My Email feature for iCloud+ exposes users' real email addresses in message headers when they reply to forwarded emails.
- The vulnerability was disclosed by CNET on March 26, 2025, based on findings from an unnamed security researcher; Apple has not yet commented on a fix.
- Hide My Email generates random addresses that forward to a user's real iCloud account, designed to prevent companies from tracking the user's actual email.
- The bug reportedly affects all iCloud+ subscription tiers, potentially impacting over 400 million subscribers worldwide.
- Security experts recommend disabling Hide My Email for critical accounts and using temporary email services until Apple releases a patch.
Frequently Asked Questions
A vulnerability in Apple's Hide My Email feature allows attackers to discover users' real email addresses. The bug appears when a user replies to an email sent to a random Hide My Email address, causing the real address to be exposed in email headers.
Hide My Email is a privacy feature in Apple's iCloud+ subscription. It generates unique, random email addresses that forward messages to the user's actual iCloud account. Users can create and delete these addresses at will.
All iCloud+ subscribers who use Hide My Email may be affected. The bug impacts any user who replies to or composes emails through a generated address, potentially revealing their real email to the recipient.
As of now, Apple has not released a patch or made an official statement. The company typically addresses such issues via server-side changes or iOS updates. Users should monitor Apple's security advisories.
Until Apple provides a fix, consider disabling Hide My Email for sensitive accounts. Use temporary email services for new sign-ups. Avoid replying to forwarded emails through generated addresses.
The bug compromises the privacy promise of Hide My Email. For non-critical accounts, the risk may be low, but for high-stakes privacy, it is advisable to use alternative methods until Apple releases a fix.
Topics
Original source
www.cnet.com
Discussion
Join the discussion
Sign in to post a comment or reply.
No comments yet. Be the first to share your thoughts!