It turns out one of Apple’s privacy features may not be as secure as users thought. Apple’s Hide My Email feature currently has a vulnerability that can reveal users’ real email addresses, 404 Media reports. Hide My Email is an iCloud+ feature that lets users create unique, random email addresses when signing up for apps, websites, and other online accounts. Messages sent to those addresses are then automatically forwarded to the user’s real inbox. On its support page, Apple says Hide My Email is designed to let users keep their “personal email address private.” But the privacy company EasyOptOuts told 404 Media that it discovered a vulnerability in the service that could let someone uncover the real email address tied to a Hide My Email alias.

404 Media did not disclose details of the exploit because the bug has not yet been fixed. However, the outlet verified the vulnerability by generating a Hide My Email address and sharing it with EasyOptOuts co-founder Tyler Murphy. Murphy was then able to connect the anonymous email to the corresponding Apple account in about five minutes.

The most shocking part is that Apple has reportedly known about the issue for more than a year and still has not fixed it. “Apple Hide My Email is leaking email addresses that are supposed to be hidden,” Murphy told 404 Media. “We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.”