:

APPLE'S 'HIDE MY EMAIL' FEATURE EXPOSES REAL ADDRESSES

AI DESK2 MIN READ
WED, JUL 1, 2026

■ AI-SUMMARIZED FROM 3 SOURCES ▸ TIMELINE

A vulnerability in Apple's privacy-focused 'Hide My Email' service has been found to leak users' actual email addresses. The flaw undermines the core purpose of the feature, which generates masked addresses to protect user identity.

Apple's 'Hide My Email' feature, part of iCloud+, was designed to let users create masked email addresses that forward to their real inboxes while keeping their primary address hidden. Security researchers discovered that the implementation contains a vulnerability allowing attackers to reveal the underlying email addresses. The vulnerability works by exploiting how Apple handles the forwarding mechanism. By analyzing server responses and metadata, attackers can determine which real email address corresponds to a masked address, effectively defeating the privacy protection. The issue highlights a common challenge in privacy-focused tools: the gap between design intent and actual implementation. Users who believed their real addresses were protected could be exposed to targeted attacks, spam, or social engineering. Apple has not yet publicly acknowledged the vulnerability or announced a fix. The feature remains active across iPhone, iPad, Mac, and web platforms. Users currently relying on 'Hide My Email' for privacy may want to reconsider how they're using masked addresses until Apple addresses the issue. This discovery adds to ongoing scrutiny of Apple's privacy claims. The company has marketed itself as privacy-first, yet security researchers continue to uncover gaps between marketing and reality. For users who have already created masked addresses through the service, the immediate risk depends on whether any attacker has already exploited this vulnerability. Those who shared masked addresses with untrusted services face the highest exposure. The vulnerability was reported to Apple ahead of public disclosure, following standard security research practice. The timeline for a fix remains unclear.

■ SOURCES

Hacker NewsTechCrunchWired

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.

3H AGOIndustry Desk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.

3H AGOSecurity Desk

Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.

6H AGOAI Desk

A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.

8H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.