:

APPLE'S 'HIDE MY EMAIL' FEATURE EXPOSES REAL ADDRESSES

AI DESK2 MIN READ
WED, JUL 1, 2026

■ AI-SUMMARIZED FROM 3 SOURCES ▸ TIMELINE

A vulnerability in Apple's privacy-focused 'Hide My Email' service has been found to leak users' actual email addresses. The flaw undermines the core purpose of the feature, which generates masked addresses to protect user identity.

Apple's 'Hide My Email' feature, part of iCloud+, was designed to let users create masked email addresses that forward to their real inboxes while keeping their primary address hidden. Security researchers discovered that the implementation contains a vulnerability allowing attackers to reveal the underlying email addresses. The vulnerability works by exploiting how Apple handles the forwarding mechanism. By analyzing server responses and metadata, attackers can determine which real email address corresponds to a masked address, effectively defeating the privacy protection. The issue highlights a common challenge in privacy-focused tools: the gap between design intent and actual implementation. Users who believed their real addresses were protected could be exposed to targeted attacks, spam, or social engineering. Apple has not yet publicly acknowledged the vulnerability or announced a fix. The feature remains active across iPhone, iPad, Mac, and web platforms. Users currently relying on 'Hide My Email' for privacy may want to reconsider how they're using masked addresses until Apple addresses the issue. This discovery adds to ongoing scrutiny of Apple's privacy claims. The company has marketed itself as privacy-first, yet security researchers continue to uncover gaps between marketing and reality. For users who have already created masked addresses through the service, the immediate risk depends on whether any attacker has already exploited this vulnerability. Those who shared masked addresses with untrusted services face the highest exposure. The vulnerability was reported to Apple ahead of public disclosure, following standard security research practice. The timeline for a fix remains unclear.

■ SOURCES

Hacker NewsTechCrunchWired

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

SAP released security updates for 16 vulnerabilities in July 2026, including three critical flaws affecting NetWeaver, Commerce Cloud, and AppRouter. The patches address risks across multiple enterprise software components.

2H AGOIndustry Desk

Two newly discovered phishing kits, Jalisco and OmegaLord, are actively targeting Microsoft 365 accounts with techniques designed to circumvent multi-factor authentication protections.

2H AGOSecurity Desk

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two individuals and one entity for enabling ransomware attacks against American organizations. The action targets infrastructure providers facilitating cyber threats.

5H AGOSecurity Desk

As scam calls and messages proliferate, ordinary people are turning the tables on fraudsters through scambaiting—deliberately engaging scammers to waste their time and resources.

8H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.