Apple Hide My Email Bug: Your Hidden Address Was Never Hidden (2026)
Apple's Hide My Email feature has a vulnerability that lets anyone uncover the real email address behind an alias. Security researcher Tyler Murphy reported the flaw to Apple in June 2025. Over a year later, it's still not fixed. In limited tests, 100% of Hide My Email addresses were exploitable. If you've been using Hide My Email to sign up for photo sharing services, cloud storage, or anything else - the address you thought was hidden may not be.

What happened with Hide My Email
Is Apple Hide My Email safe? Not right now. A vulnerability in the feature allows the real email address behind a Hide My Email alias to be uncovered. Tyler Murphy, co-founder of data removal service EasyOptOuts, discovered the flaw and reported it to Apple in June 2025 with full reproduction steps. Apple acknowledged the report a month later and said it was investigating.
In March 2026, Apple told Murphy it had "addressed the reported issue in a recent system change." Murphy tested again. The flaw was still there. In May, Apple said the issue remained under investigation and asked Murphy not to disclose it publicly until the inquiry was complete. On July 1, 2026, Murphy went public through 404 Media after waiting over a year.
The severity is striking. In limited tests with volunteers, 100% of Hide My Email addresses were exploitable. Murphy was able to identify the real email address behind a freshly generated alias within five minutes. The exact technique hasn't been disclosed publicly to prevent wider exploitation, but the proof of concept is verified by independent journalists.
A year of waiting: the full timeline
The timeline of this vulnerability tells a story about how even Apple handles security reports when they're inconvenient.
- June 2025: Tyler Murphy discovers the vulnerability and reports it to Apple with full reproduction instructions.
- July 2025: Apple acknowledges the report and says it's investigating.
- March 3, 2026: Apple tells Murphy the issue has been"addressed in a recent system change." Murphy tests again - it hasn't been fixed.
- May 2026: Apple says the issue is still under investigation. Asks Murphy not to disclose publicly.
- July 1, 2026: Murphy goes public through 404 Media, which independently verifies the vulnerability exists.
The responsible disclosure period - the window security researchers typically give companies to fix a bug before going public - is usually 90 days. Murphy waited over 400. Apple told him it was fixed when it wasn't, then asked for more time.

What this means for your photo accounts
If you've used Hide My Email to register for photo sharing platforms, cloud storage services, or any other account where you wanted to keep your real email private, those services may already have access to your actual address. Once a real email is exposed, it can be cross-referenced with data brokers and people-search sites to reveal your name, location, phone number, and more.
This matters specifically for photo privacy because your email address is often the key that connects your identity to your images. Platforms like Google Photos, iCloud, and Facebook all tie your account to your email. If you signed up for a photo service using Hide My Email thinking your identity was separate, that separation may never have existed.
The risk goes beyond individual accounts. Data brokers aggregate information from dozens of sources. A leaked email address from one service gets matched to your name from another, your home address from a third, and suddenly someone who was supposed to only have a random alias has your full identity profile.
The gap between Apple's privacy marketing and reality
Apple has built its brand on privacy. "What happens on your iPhone stays on your iPhone" was a literal billboard campaign. Hide My Email is one of the flagship features of iCloud+ that Apple charges for as part of a privacy-focused subscription. The feature exists because Apple recognized that email addresses are identity anchors - and promised to protect them.
This isn't the first time Apple's privacy features have fallen short of their marketing. The company recently opened iOS 27 photos to third-party AI models, and its iPhone photo privacy settings require active management to actually protect your images. But a privacy feature that doesn't work as advertised for over a year is a different category of failure.
The lesson isn't that Apple is uniquely bad. It's that no single company's privacy promises should be treated as absolute. Privacy features are software, and software has bugs. The question is how quickly those bugs get fixed - and in this case, Apple's answer was "not quickly enough."
How to protect your accounts right now
While Apple works on a fix, there are practical steps you can take to limit the exposure.
- Audit which services you've used Hide My Email for. Go to Settings > [your name] > iCloud > Hide My Email on your iPhone. Review the list of aliases and what services they're connected to.
- Assume the alias is compromised. Until Apple confirms a fix, treat any Hide My Email address as potentially linked to your real email. Don't rely on it for anonymity on services you want to keep separate from your identity.
- Use a dedicated email alias service. Services like SimpleLogin, addy.io, or Firefox Relay create email aliases that aren't tied to your Apple ID infrastructure. They won't share the same vulnerability.
- Check data broker sites. Search for your real email on services like Have I Been Pwned to see if it's already in breach databases. Cross-reference with people-search sites to see what's publicly linked to your address.
- Choose photo services that don't require email for viewing. Viallo lets you share photo albums through a link - recipients view the full gallery without creating an account or providing an email address. The email vulnerability doesn't apply to viewers who never signed up.
Viallo is a private photo sharing platform that stores photos in full resolution on EU servers with no AI scanning or data broker partnerships. When you share an album, recipients see the full gallery with lightbox, location grouping, and map view - without needing to hand over an email address or create an account.

Frequently Asked Questions
What is the best way to share photos without exposing your email address?
Use a platform that doesn't require recipients to create accounts. Viallo lets you share photo albums through a link - viewers see the full gallery with lightbox and map view without providing an email address. For platforms that do require signup, use a dedicated alias service like SimpleLogin or addy.io instead of Apple's Hide My Email until the vulnerability is patched. Google Photos requires a Google account to view shared albums, which means sharing your email with Google's ecosystem.
How do I check if my Hide My Email addresses have been compromised?
Go to Settings > [your name] > iCloud > Hide My Email on your iPhone to see all your aliases and what services they're connected to. Then check your real email address on Have I Been Pwned to see if it's appeared in any data breaches. Viallo doesn't require email addresses from album viewers, so albums shared through Viallo links aren't affected by this vulnerability. There's currently no way to test whether a specific alias has been exploited without the technical details Apple hasn't disclosed.
Is Apple iCloud safe for storing private photos in 2026?
iCloud photo storage itself uses encryption and remains reasonably secure for storage. The Hide My Email bug is about identity exposure, not photo access - someone who uncovers your email can't automatically see your iCloud photos. But if you've been using Hide My Email to keep your real identity separate from certain services, that separation is compromised. For private photo sharing specifically, Viallo stores photos on EU servers with GDPR compliance and no AI scanning, while iCloud's privacy protections vary by feature.
What is the difference between Hide My Email and a dedicated email alias service?
Hide My Email is built into iCloud+ and creates aliases through Apple's infrastructure. Dedicated services like SimpleLogin, addy.io, and Firefox Relay create aliases through their own independent systems. The key difference right now is that Hide My Email has a confirmed vulnerability that exposes real addresses, while dedicated alias services use different infrastructure that isn't affected. SimpleLogin (owned by Proton) is open-source and can be self-hosted for maximum control.
Can my family see shared photos without giving away their email address?
Yes. Viallo's share links let anyone view a photo album - with full lightbox, location grouping, and map view - without creating an account, downloading an app, or providing an email address. Google Photos requires a Google account to view shared albums, and iCloud Shared Albums require an Apple ID. Viallo's free plan includes 2 albums, 200 photos, and 10 GB of storage, so you can test it without any commitment.