Tyler Murphy told Apple about the problem more than a year ago. The vulnerability in Apple's Hide My Email feature — designed to shield iCloud+ subscribers from spam by generating anonymous relay addresses — allows anyone to unmask the real inbox behind an alias in a matter of minutes.

Apple still hasn't fixed it.

A 404 Media investigation published this week confirmed that Murphy, co-founder of data removal service EasyOptOuts, reported the flaw and waited. Every alias he tested was exploitable. With over one billion active Apple devices worldwide and iCloud+ subscribers relying on Hide My Email for precisely this purpose, the pool of users potentially exposed is enormous.

The feature works simply. When you sign up for a website or app using Sign in with Apple, Hide My Email generates a random address — something like [email protected] — that forwards to your real inbox. The idea is that the website never sees your actual email. The bug breaks that promise entirely.

Then Apple made a second decision that compounded the problem. On June 16, the company quietly announced it would move all Hide My Email addresses to a new, unified domain: @private.icloud.com. The stated purpose was tidiness — consolidating Sign in with Apple and iCloud+ Hide My Email under one roof.

The consequence was immediate. As MacRumors reported, any developer can now detect and reject a Hide My Email signup with a single line of code: a regex check for @private.icloud.com. Before the change, aliases were harder to distinguish from regular iCloud addresses. Now they carry a neon sign.

The old addresses blended in. The new ones announce themselves.

For anyone who publishes a newsletter, runs an online store, or manages a subscriber list, this matters in two directions. First, a meaningful number of your subscribers may have signed up using Hide My Email aliases that are vulnerable to the unfixed leak. Second, the domain change means the privacy-conscious segment of Apple's user base — which skews toward higher-income, higher-engagement demographics — can now be filtered out of your signups entirely by any platform that chooses to block the domain.

TechCrunch's coverage noted that this change effectively makes the privacy feature less effective, even as Apple continues to charge for it as part of the iCloud+ subscription.

What to take from this

  • If you use Hide My Email as a subscriber, assume your real address may already be exposed through the unfixed vulnerability. Consider creating a dedicated email alias through a different provider for sensitive signups.

  • If you run an email list, check how many of your subscribers use @privaterelay.appleid.com or @private.icloud.com addresses. These subscribers chose privacy — respect that. But know that the unfixed bug means their addresses may not be as hidden as they think.

  • If you rely on email as a channel, this is another reminder that the inbox infrastructure you depend on is controlled by a handful of companies making unilateral decisions. Apple changed the domain with a developer notification. No public announcement. No subscriber opt-in.

The feature that was supposed to protect users exposed them instead. And the patch made the feature easier to bypass. If your business model touches email — and most do — the ground just shifted beneath you again.

Keep Reading