Apple's 'Hide My Email' Has a Bug. Privacy by Subscription Only Goes So Far.
A researcher says Apple's 'Hide My Email' forwarding service can be tricked into revealing real addresses — and the incident exposes how privacy on consumer devices is increasingly a paid feature, not a baseline.

On 2 July 2026, a security researcher publicly demonstrated what looks like a genuine flaw in one of Apple's most heavily marketed privacy tools. The feature, called Hide My Email, lets paying iCloud+ subscribers generate throwaway addresses that forward mail to a real inbox. According to TechCrunch, the bug allows a sender to retrieve the user's real email address in some scenarios — a result that, if it holds up, would amount to the feature doing the opposite of what its name promises.
Privacy, in 2026, is a product. Apple sells it. You subscribe. What happens when the product breaks.
What the researcher claims
TechCrunch reported on 1 July 2026 that an independent researcher had found a way to abuse the forwarding flow and extract the underlying real address. The reporting is careful with language: TechCrunch writes that the claim "appears to reveal a bug" and that the feature is, in the researcher's account, "effectively useless" in at least one configuration. Indian Express, picking up the story on 2 July, framed the disclosure as "scrutiny over alleged 'Hide My Email' flaw" — the word "alleged" doing honest work, since Apple has not at the time of writing confirmed the vulnerability in detail.
That last point matters. Apple has spent the better part of a decade positioning itself as the privacy-first consumer platform, a position it has monetised into iCloud+, its $0.99-a-month-and-up subscription tier. Hide My Email is one of the marquee features of that tier, sitting next to Private Relay, Hide My Email, and the company's expanding inventory of on-device intelligence claims. A bug here is not a routine CVE. It is a brand event.
Why a paid privacy tier makes this messier
Most mainstream coverage of platform privacy assumes the threat model is the user against the internet: trackers, ad networks, data brokers. The harder question — the one the bug brings into focus — is what happens when the user is paying a platform precisely for privacy and the platform's tooling falls short. The relationship inverts. The user is now a customer of a privacy product, entitled to the protections of consumer law and warranty language, not merely the beneficiary of a free service's good-faith efforts.
Apple's marketing for iCloud+ leans heavily on the language of control: "you decide what you share," "your data is yours." That language implies a warranty. If a researcher has found a way to defeat the forwarding logic with the right crafted email, the question is not only technical. It is whether the feature was sold under representations that the implementation cannot meet. The researcher's framing — that the bug "renders the feature effectively useless" — is a claim about marketing as much as code.
The counter-narrative
It is worth saying plainly what we do not yet know. The researcher's findings have not, in the public reporting we have read, been confirmed by Apple. Disclosure timelines for security bugs are routinely opaque; Apple may already have a fix in a beta channel, or the issue may depend on a configuration most users never enable. The Indian Express piece uses "alleged." TechCrunch uses "researcher claims." Both are appropriate hedges.
There is also a reasonable structural counterpoint. Every major email-forwarding service — from simple aliases on custom domains to dedicated privacy products — has, at some point, surfaced a way to extract the underlying address. The history of anonymised mail is a history of these bugs. A single disclosure does not by itself indict Apple's engineering; it does, however, indict the marketing category. "Hide My Email" is not the first privacy brand to promise what its implementation only sometimes delivers.
What it means for the rest of us
The stakes are not really about one bug. They are about the category Apple has helped create: privacy as a subscription line item, sold alongside storage and family sharing. That model has clear appeal. It also has a structural problem. When the privacy layer is paid, its failures are product defects with commercial liability. When it is free, they are infrastructure problems with diffuse accountability. Neither is ideal, but only one of them is honest about the transaction.
For now, users running iCloud+ should treat the disclosure as a yellow flag rather than a red one — disable Hide My Email on any address used for sensitive recovery flows, watch for Apple's response, and assume that "hide" in product names is closer to "obscure" than to "remove." The Indian Express and TechCrunch reports, taken together, are the public artefact of a researcher doing exactly what independent researchers are supposed to do. The rest of the work — confirmation, patch, public post-mortem — belongs to Apple.
This publication framed the disclosure as a product-defect story inside the subscription-privacy category, rather than as either a routine CVE round-up or as a privacy-brand collapse narrative. The two source items we read are careful with "alleged" and "claims"; the prose above tracks that care.
Wire provenance
This editorial synthesis draws on the following public wire/social posts:
- https://en.wikipedia.org/wiki/Hide_My_Email