A vulnerability in Apple's iCloud+ "Hide My Email" feature can reveal a user's real email address despite the service's anonymizing forwarding [1, 2].

This flaw undermines a core privacy promise for millions of users on iOS, iPadOS, and macOS who rely on the service to prevent their personal contact information from leaking to third parties [1, 3].

Security researcher Tyler Murphy discovered the bug and reported it to Apple more than 12 months ago [1]. The vulnerability stems from a coding error in the email-forwarding logic that leaks the original address when specific API calls are made [1, 2, 3]. Despite the report, the flaw remains unpatched as of this week [1, 2].

"I reported this to Apple over a year ago and they still haven’t fixed it," Murphy said [1].

Other security researchers said the bug allows an attacker to retrieve the real address even when a user is utilizing Apple’s anonymous forwarding service [2]. This creates a significant gap in the privacy shield Apple markets as a primary benefit of its paid iCloud+ subscription.

Apple has acknowledged the issue but has not yet released a direct patch for the existing logic. A company spokesperson said Apple is aware of the issue but is focusing on a broader redesign of Hide My Email rather than an immediate patch [3].

This redesign was previously mentioned in reports on June 16, 2026 [3]. While the company suggests the overhaul will address the underlying problems, the current version of the tool remains vulnerable to exploitation until the new system is fully deployed [1, 3].

"I reported this to Apple over a year ago and they still haven’t fixed it."

The delay in patching this vulnerability suggests a strategic decision by Apple to prioritize a complete architectural overhaul over a temporary fix. However, this leaves a window of risk for users who believe their identities are hidden, potentially exposing them to targeted phishing or data harvesting while the company transitions to a new system.