Particle.news
Download on the App Store

Apple Hide My Email Flaw Lets Aliases Be Traced to Real Addresses

The vulnerability remains publicly reported and unpatched more than a year after it was disclosed, raising risks that people-search sites can link aliases to users’ real accounts.

Overview

  • A security researcher at EasyOptOuts first reported the flaw to Apple in June 2025 and provided steps to reproduce the issue.
  • Apple told the researcher it had “addressed” the problem in March 2026 then later said it was still investigating and expected a security update in the coming weeks.
  • On Wednesday, July 1, 2026 multiple outlets verified the vulnerability while withholding technical details to avoid enabling exploits.
  • Limited tests reported by the researcher found every tested Hide My Email alias could be reverse-mapped to the real iCloud address, which lets free people-search databases tie aliases to other personal data.
  • Apple’s planned move to use the private.icloud.com relay domain may make aliases easier for sites to detect or block and could further weaken the practical anonymity Hide My Email provides.