Why Apple Refused to Fix this iCloud Privacy Bug for 12 Months

Why Apple Refused to Fix this iCloud Privacy Bug for 12 Months

Why Apple Refused to Fix this iCloud Privacy Bug for 12 Months

https://www.iphoneincanada.ca/2026/07/01/why-apple-refused-to-fix-this-icloud-privacy-bug-for-12-months/

Publish Date: 2026-07-01 13:56:00

Source Domain: www.iphoneincanada.ca

According to a report by 404 Media, a security loophole in Apple’s premium iCloud+ service allows almost anyone with minimal technical skill to unmask the real email address hidden behind Apple’s randomized Hide My Email aliases.

Making matters worse, Apple has allegedly known about the security flaw for over a year but has failed to deploy a permanent fix.

Hide My Email is a popular privacy tool bundled into Apple’s paid iCloud+ tiers. It lets users generate unique, randomized email addresses ending in the @icloud.com domain when signing up for apps, newsletters, or websites. The feature is built to protect users from data breaches, targeted tracking, and endless spam.

The vulnerability was originally discovered and reported to Apple in June 2025 by Tyler Murphy, the co-founder of data privacy firm EasyOptOuts. In standard responsible disclosure fashion, Murphy provided Apple with explicit replication steps, giving the iPhone maker ample time to address the issue before going public. Yet, more than 12 months later, the flaw remains entirely active in production.

Frustrated by the lack of an effective patch, Murphy decided to coordinate a partial disclosure with 404 Media to warn the public. “Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” Murphy told the publication, adding that he did not feel comfortable withholding the warning any longer.

To verify the severity of the claim, 404 Media conducted its own independent testing. A reporter generated a brand-new Hide My Email address and handed the alias over to Murphy. Within five minutes, Murphy successfully extracted the reporter’s real personal email address linked to their Apple account.

To protect users from active exploitation, the specific technical mechanism behind the exploit is currently being withheld from publication. However, the real-world implications of the leak are significant. “Free, publicly accessible…

Source