Apple's promise was clear: generate anonymous email addresses for signing up to services or communicating without exposing your real address. A cornerstone of privacy for millions of iCloud+ subscribers. But a vulnerability discovered by Tyler Murphy, co-founder of EasyOptOuts, shows that the protective wall was made of paper: with a few steps it was possible to trace the real identity of the owner, and Apple knew about it for over a year without acting.
What went wrong with the masking
Hide My Email allows creating random addresses – two words and a number followed by @icloud.com – that forward messages to your real inbox while keeping it hidden. The flaw, whose technical details Murphy and 404 Media are not disclosing to avoid immediate exploitation, made it possible to link that alias to the true email address in about five minutes. In Murphy's tests, the success rate was 100%. The alarm is twofold: not only did the anonymization mechanism break down, but its weakness was systemic and replicable on any account.
The bumpy roadmap of the disclosure
Murphy contacted Apple in June 2025. A month later the company replied that it was investigating. In March 2026, Apple claimed to have “addressed the reported issue in a recent system update”, but Murphy's tests proved otherwise. More details were sent, and another non-committal response followed. By May 2026 Apple was writing that it was still “investigating” and asked not to disclose the information until the investigation was complete. Murphy proposed suspending sales of Hide My Email to limit risk, but received no reply. Only in late May did Apple promise a fix “in the coming weeks.” At the time of publication, the patch was not available.
Why this touches data sovereignty
The story goes beyond a single bug. People use masking tools to manage their digital exposure: avoid spam, decouple personal identities from throwaway accounts, guard against data breaches. The failure of Hide My Email proves that outsourcing protection to a cloud provider without independent verification mechanisms leaves the user at the mercy of the vendor's transparency (and timeliness). For enterprises or professionals who need compartmentalization, this episode is a reminder: layered anonymization is not infallible and trust in the cloud cannot be the only barrier. In environments where data sovereignty is critical – healthcare, law firms, organizations evaluating on-premise stacks for LLMs – the principle is the same: data control must stay in-house, and external services need continuous auditing, not promises.
Apple's move and the paradox of the new domain
TechCrunch reported in June that Apple plans to change the domain of generated addresses from @icloud.com to @private.icloud.com, a shift that will make it easier for web services to proactively block signups from these aliases, reducing their effectiveness. It's a paradox: while the feature remains vulnerable, the company introduces a change that weakens its utility. The signal fits a broader picture: the rush to offer marketing-friendly privacy features without a robust security architecture creates an illusion of protection that can be worse than having no tools at all, because it encourages more careless behavior.
For Murphy, going public was driven by the awareness that those relying on Hide My Email for their safety deserved to know. “We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer,” he said. In an industry where response times measure a vendor's seriousness, that statement carries heavy weight.
💬 Comments (0)
🔒 Log in or register to comment on articles.
No comments yet. Be the first to comment!