Commentary

Wormy Apple: Researchers Say They Found Holes In Hide My Email

Apple has a service called Hide My Email that helps iCloud+ customers worldwide maintain their privacy.  

It sounds good, but now there are charges that it is not so private. EasyOptOuts, a personal data removal service, posted this announcement earlier this week, as written by its founders, identified as Ben and Tyler:  “We've discovered vulnerabilities in Hide My Email that allow attackers to discover the meant-to-be-hidden address behind a Hide My Email address. We reported the issue to Apple over a year ago, and as of June 30, 2026, it still hasn't been fixed.”

The announcement does not reveal the specific issues, but says the firm will do so when they are resolved. Until that happens, the claims are vague.

EasyOptOuts adds, “About a month ago, we realized that the vulnerabilities' severity and scope are greater than we initially thought. We're publicly disclosing the existence of the vulnerabilities now because we think Hide My Email users deserve to know that their email addresses may not actually be hidden.”

advertisement

advertisement

The announcement notes that people use Hide My Email to “send and receive emails while keeping their personal, permanent email address private. The service generates random, unique email addresses to act as an intermediary between your actual email address and the people you're emailing. For example, you could be given the email address random.email.22@icloud.com to hide your real email address, realname@example.com. People use Hide My Email addresses to sign up for accounts and communicate while maintaining privacy and anonymity."

EasyOptOuts says it discovered the vulnerability on June 11, 2025, and promptly reported it. Apple responded that Hide My Email is  "not intended by design to allow discovery of the hidden address" and asked for more details.  EasyOptOuts sent several follow-ups including a detailed report on June 13 and other messages on June 20 and July 9, the latter claiming “a different vulnerability that also allows hidden email addresses to be discovered.” On July 14, Apple acknowledged it was reviewing the vulnerabilities and “asked us to verify,” EasyOptOuts continues. 

The dialogue continued into this year. On March 3, Apply reported the problem was solved, and asked the EastOptOuts team to verify. They did on March 19 and stated the vulnerabilities had not been fixed. In May, they realized that “the vulnerabilities may have greater severity and scop[e] than we thought initially and reported this to Apple.”  

On Tuesday, June 30, Apple said it had fixed the vulnerabilities, but EasyOptOuts argues that it hasn’t. 

Next story loading loading..