Overview
- A security researcher at EasyOptOuts first reported the flaw to Apple in June 2025 and provided steps to reproduce the issue.
- Apple told the researcher it had “addressed” the problem in March 2026 then later said it was still investigating and expected a security update in the coming weeks.
- On Wednesday, July 1, 2026 multiple outlets verified the vulnerability while withholding technical details to avoid enabling exploits.
- Limited tests reported by the researcher found every tested Hide My Email alias could be reverse-mapped to the real iCloud address, which lets free people-search databases tie aliases to other personal data.
- Apple’s planned move to use the private.icloud.com relay domain may make aliases easier for sites to detect or block and could further weaken the practical anonymity Hide My Email provides.