Apple's Hide My Email feature, built into iCloud+ subscriptions that cost $2.99 monthly, contains a serious privacy flaw that leaks users' actual email addresses. The issue has persisted for over a year despite Apple's awareness.

Hide My Email generates masked email addresses designed to shield your real inbox from marketers and spammers. Users rely on this feature when signing up for services they don't fully trust. The flaw exposes the real address behind the mask in certain situations, defeating the tool's entire purpose.

This matters for iCloud+ subscribers who pay specifically for privacy protections. Apple includes Hide My Email alongside other security features as a core selling point of the $2.99-per-month tier (or bundled with Apple One plans starting at $14.95 monthly). Subscribers assume their real addresses stay hidden.

The fact that Apple knew about the vulnerability for over a year raises questions about priority and transparency. The company typically patches security issues quickly, but this flaw languished unresolved. Apple has not publicly disclosed when or how the company plans to fix the problem.

For current iCloud+ users, the risk involves any service where Hide My Email masks were used. If the flaw allows address exposure, those services now possess your real contact information despite your efforts to stay anonymous. This creates exposure to targeted spam, phishing campaigns, and data broker sales.

iCloud+ subscribers should consider the practical implications. If you've used Hide My Email on financial accounts, dating apps, or shopping sites, your real address may already be exposed. Changing your password alone won't help. You'd need to update your real address wherever it leaked.

Apple competitors like ProtonMail and Fastmail offer similar email masking features. Neither has reported comparable flaws. Users frustrated with this issue could switch services, though migrating email is disruptive.

The broader lesson applies