Particle.news
Download on the App Store

Hide My Email Flaw Lets Attackers Unmask Users’ Real Addresses

A verified, year‑old bug remains unpatched, leaving iCloud+ forwarding aliases exposed and reducing the feature’s privacy protections.

Overview

  • A researcher at EasyOptOuts first reported the vulnerability to Apple in June 2025 and provided replication steps, and Apple acknowledged the report while promising a fix.
  • Apple told the researcher in March 2026 that a recent system change had addressed the issue but the researcher found the flaw persisted and supplied further details.
  • 404 Media independently verified the exploit this week by creating a Hide My Email alias and having the researcher reveal the linked real address in about five minutes.
  • Apple has told the researcher it expects to issue a security update but has not released a public patch as of this report and technical details are being withheld to avoid enabling attackers.
  • Apple’s planned migration of new aliases to the @private.icloud.com domain, announced to developers in mid‑June, could make Hide My Email addresses easier for sites to detect or block and increases the risk that exposed aliases will be linked to people‑search databases.