Skip to main content
2025-01-01

Question of the Day

Question of the day · 2026-07-01 ·

One question per day to look beyond the headlines.

Where does Hide My Email’s privacy promise break—at the alias generator, or the proxy mapping behind it?

Take-away Hide My Email’s privacy fails when aliases remain deterministically linkable to the backend identity mapping, so knowing an alias lets attackers resolve the real address.

The privacy promise of Apple's Hide My Email seems to break at both the alias generator and the proxy mapping behind it. Vulnerabilities in the service allow attackers to potentially link alias addresses created by Hide My Email to users' real accounts or addresses. This is due to a vulnerability that exposes real email addresses from the generated alias addresses [1], [2], [3]. The issue can reportedly be exploited to reveal the real email addresses within minutes [3]. Additionally, despite intended privacy protections, all tested Hide My Email addresses were found to be exploitable, indicating that both the alias generator and the proxy mapping may be at fault [2], [3]. Apple acknowledges this issue and is reportedly investigating, but a final fix has yet to be released [3].

Sources · 2026-07-02