@privaterelay.appleid.comHide My Email is a flagship iCloud+ subscription feature that promises to let users create disposable, anonymous email addresses that forward to their real inbox without ever exposing the actual address . This bug completely breaks that promise: any party with access to a generated alias (a website, a data broker, or a malicious actor) can potentially discover the user’s real email, defeating the purpose of the feature for privacy, anti-tracking, and spam prevention
.
@private.icloud.com, replacing the previous split between @icloud.com and @privaterelay.appleid.com This change does not fix the underlying vulnerability. Instead, it makes the feature worse for privacy in a different way . Previously, a Hide My Email alias (e.g.,
abc123@icloud.com) was indistinguishable from a regular personal iCloud email address, so websites could not tell whether a user was anonymous . The new domain
@private.icloud.com unambiguously marks every address as a privacy alias, making it trivial for any website or service to block, flag, or refuse anonymous sign-ups . Privacy advocates have described this as a move that “removes that ambiguity entirely” and makes the feature less usable for its core purpose
.
As of July 1, 2026, the core vulnerability remains unpatched — over a year after initial disclosure .
The fact that Apple has not genuinely fixed the reverse-tracing vulnerability for over a year — despite claiming it was patched in March 2026 — has raised questions about Apple’s security response process and whether iCloud+ privacy features receive adequate engineering attention .
In March 2026, multiple outlets reported that Apple gave the FBI the real iCloud email address linked to a Hide My Email alias during a threat investigation . Court filings showed Apple turned over the identity of at least two iCloud+ subscribers who used the feature
. While Apple’s terms of service have always allowed this for lawful requests, the episode revealed just how much information Apple can and will hand over — including the mapping between aliases and real accounts
. This contradicts the marketing impression of “anonymous” email masking and has further eroded trust in the feature’s privacy claims
.
@private.icloud.com domain shift — does not solve the vulnerability and instead makes it easier for services to block anonymous users