A vulnerability in Apple's privacy-focused 'Hide My Email' service has been found to leak users' actual email addresses. The flaw undermines the core purpose of the feature, which generates masked addresses to protect user identity.
Apple's 'Hide My Email' feature, part of iCloud+, was designed to let users create masked email addresses that forward to their real inboxes while keeping their primary address hidden. Security researchers discovered that the implementation contains a vulnerability allowing attackers to reveal the underlying email addresses.
The vulnerability works by exploiting how Apple handles the forwarding mechanism. By analyzing server responses and metadata, attackers can determine which real email address corresponds to a masked address, effectively defeating the privacy protection.
The issue highlights a common challenge in privacy-focused tools: the gap between design intent and actual implementation. Users who believed their real addresses were protected could be exposed to targeted attacks, spam, or social engineering.
Apple has not yet publicly acknowledged the vulnerability or announced a fix. The feature remains active across iPhone, iPad, Mac, and web platforms. Users currently relying on 'Hide My Email' for privacy may want to reconsider how they're using masked addresses until Apple addresses the issue.
This discovery adds to ongoing scrutiny of Apple's privacy claims. The company has marketed itself as privacy-first, yet security researchers continue to uncover gaps between marketing and reality.
For users who have already created masked addresses through the service, the immediate risk depends on whether any attacker has already exploited this vulnerability. Those who shared masked addresses with untrusted services face the highest exposure.
The vulnerability was reported to Apple ahead of public disclosure, following standard security research practice. The timeline for a fix remains unclear.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.