Apple 'Hide My Email' Vulnerability Reveals Peoples' Real Email Addresses

Apple promised privacy, but commenters say the secret email mask is basically see-through

TLDR: Researchers say Apple’s email-masking feature can still reveal people’s real addresses, even after more than a year of reports and claimed fixes. Commenters are furious at the delay, with some playing detective about the bug and others calling for Apple to face media and regulator pressure.

Apple’s Hide My Email is supposed to be the digital equivalent of sunglasses and a fake name: a way for iCloud+ users to message and sign up for things without giving away their real email address. Instead, the big shocker here is that researchers say they found not one but multiple ways to uncover the very address Apple promised would stay hidden — and after reporting it in June 2025, they say Apple still hadn’t truly fixed it by June 30, 2026. That timeline alone had the comment section doing a full-body groan.

The loudest reaction was pure disappointment. One commenter bluntly called it “disappointing” that the flaw exists at all, and even worse that Apple apparently took more than a year to not even fix it. Ouch. Others immediately went into detective mode, trying to guess how the leak works without the researchers giving away details that could hurt users. One person fired off a string of theories about bounced emails, login attempts, and behind-the-scenes message handling — the classic internet moment where the crowd starts building its own mystery board with red string.

Then came the escalation crowd. One commenter basically said: stop waiting, lawyer up, notify the media, alert regulators. In other words, the vibes shifted fast from “that’s bad” to “drag them into the sunlight.” Even the quieter comments — like people posting a timeline and an archive link — felt like receipts being entered into evidence. The mood? Betrayed, impatient, and deeply unimpressed. When your privacy feature’s whole job is to hide your email, commenters think there’s only one standard that matters: it either works, or it’s a scandal.

Key Points

  • The article says vulnerabilities in Apple’s Hide My Email can expose the real email address behind Apple-generated aliases.
  • The researchers state they first reported the issue to Apple on June 11, 2025, and provided further reports and reproduction details afterward.
  • According to the timeline, Apple twice said the vulnerabilities were fixed, on March 3, 2026 and June 30, 2026, but the researchers say their verification showed they were not fixed.
  • The authors say they later determined the vulnerability’s severity and scope were greater than they initially believed.
  • The article says exploit details are being withheld until a fix is available, while the authors call for interim mitigations and user notification.

Hottest takes

"over a year to not even fix it" — FabHK
"give notice of 30 days" — fsuts
"Is it based on mail undeliverable errors?" — rubatuga
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.