
The discoverer contacted 404 Media to substantiate the flaw in Apple’s anonymization service. The journalists created a new address, which they shared with Tyler Murphy, the co-founder of the privacy service provider EasyOptOuts and the discoverer of the loophole. After five minutes he replied with the official main address of the linked main account.

New addresses are created automatically in the browser or are managed in the iCloud settings.
Not fixed for a year
Murphy approached Apple with his discovery. The company responded that it wanted to investigate the error. That was in June 2025. It stayed quiet for a long time. But in March, Apple’s developers reported with the good news that the relevant systems had been adjusted and the problem had been resolved. Murphy couldn’t understand this – he was still able to determine real iCloud addresses. He contacted him again and an investigation was announced again.
Still advertised part of the paid subscription
Apple repeatedly asks the discoverer not to go public with his discovery in order not to endanger the safety of users. In May, Apple’s developers promised a change “in the coming weeks”. After more than a year had passed, Murphy felt further secrecy was no longer justifiable. At the same time, he did not reveal in detail how he scouted out the addresses. In the meantime, Apple consistently advertises enhanced privacy features for the “iCloud+” paid subscription.

Apple announces change of domain
A few weeks ago, Apple announced in the developer documentation that it would be making a change to the anonymization functions: From now on, email addresses will be kept under the domain “@private.icloud.com”; However, existing addresses remain active. The change sparked criticism on TechCrunch: The changed subdomain makes it easier for providers to recognize and block anonymized addresses.














