A vulnerability in Apple's Hide My Email feature, used by millions of iCloud+ subscribers to mask their real inboxes, has allowed attackers to uncover those hidden addresses — and the company has failed to patch it for more than a year.
"Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses," Tyler Murphy, co-founder of data-removal service EasyOptOuts, told 404 Media.
Murphy discovered the bug in June 2025 and reported it to Apple. The company responded a month later saying it was investigating. In March 2026, Apple claimed the issue had been addressed in a system change, but Murphy found the vulnerability remained exploitable. In tests conducted with volunteers, 100 percent of Hide My Email addresses were vulnerable, according to 404 Media's own verification.
The bug undermines a core selling point of Apple's iCloud+ service, which charges subscribers for privacy features including Hide My Email, iCloud Private Relay, and HomeKit Secure Video. Apple shares trade at roughly 30 times forward earnings, with services revenue — including iCloud subscriptions — reaching $26.3 billion in fiscal 2025, making the segment a key growth driver as hardware sales slow.
The vulnerability allows anyone with access to a Hide My Email alias to trace it back to the user's real Apple ID email address within minutes, Murphy said. Publicly accessible people-search sites then make it easy to link that email to other personal details such as phone numbers and physical addresses, amplifying the privacy risk beyond Apple's ecosystem.
Apple has not disclosed the technical details of the exploit, and 404 Media withheld specifics to prevent active exploitation. The outlet confirmed the bug remained live as of July 1, 2026, when it verified the issue using one of its own generated addresses.
This is not the first time Apple's privacy promises have fallen short. In 2022, the company faced a class-action lawsuit after iPhone apps continued sending analytics data to Apple even when the iPhone Analytics setting was turned off. In 2023, researchers found that Apple's MAC address randomization feature — designed to anonymize users on Wi-Fi networks — was effectively exposing the real MAC address instead.
The timing compounds the damage. In June 2026, Apple told developers it would stop generating Hide My Email addresses with the @icloud.com domain and switch to @privaterelay.appleid.com, a change that TechCrunch reported would make it easier for websites to block anonymous signups. The domain shift, combined with the unresolved vulnerability, raises questions about Apple's commitment to the feature's core privacy promise.
For investors, the reputational risk is material. Apple has built its brand premium around privacy, with Chief Executive Officer Tim Cook repeatedly calling it a "fundamental human right." A sustained erosion of that trust could pressure iCloud+ subscription growth, which contributes to the services segment that generated $26.3 billion in revenue in fiscal 2025 — roughly 22 percent of total revenue. Apple did not respond to a request for comment.
This article is for informational purposes only and does not constitute investment advice.