Why Apple Refused to Fix this iCloud Privacy Bug for 12 Months
According to a report by 404 Media, a security loophole in Apple’s premium iCloud+ service allows almost anyone with minimal technical skill to unmask the real email address hidden behind Apple’s randomized Hide My Email aliases.
Making matters worse, Apple has allegedly known about the security flaw for over a year but has failed to deploy a permanent fix.
Hide My Email is a popular privacy tool bundled into Apple’s paid iCloud+ tiers. It lets users generate unique, randomized email addresses ending in the @icloud.com domain when signing up for apps, newsletters, or websites. The feature is built to protect users from data breaches, targeted tracking, and endless spam.
The vulnerability was originally discovered and reported to Apple in June 2025 by Tyler Murphy, the co-founder of data privacy firm EasyOptOuts. In standard responsible disclosure fashion, Murphy provided Apple with explicit replication steps, giving the iPhone maker ample time to address the issue before going public. Yet, more than 12 months later, the flaw remains entirely active in production.
Frustrated by the lack of an effective patch, Murphy decided to coordinate a partial disclosure with 404 Media to warn the public. “Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” Murphy told the publication, adding that he did not feel comfortable withholding the warning any longer.
To verify the severity of the claim, 404 Media conducted its own independent testing. A reporter generated a brand-new Hide My Email address and handed the alias over to Murphy. Within five minutes, Murphy successfully extracted the reporter’s real personal email address linked to their Apple account.
To protect users from active exploitation, the specific technical mechanism behind the exploit is currently being withheld from publication. However, the real-world implications of the leak are significant. “Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk,” Murphy warned.
Reports indicate that Apple plans to transition Hide My Email aliases away from the standard @icloud.com suffix to a dedicated @private.icloud.com domain.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
