[dpoloncsak]

I think they're saying Users with alternative sign in methods are unaffected, but users without another sign in method are locked out.

Otherwise, how do you verify the user is requesting the one-time sign in and not a threat actor trying to associate the account to their own email?

[gorniv]

Knowing the Apple private relay email is almost like knowing a password — not a perfect method, but it’s currently the best option we have for verifying identity when the original email is no longer reachable and Apple provides no fallback.

That said, any sensitive data in our service is either encrypted with a user-provided phrase or never sent to our servers at all. We’ve put a lot of effort into security, but we honestly didn’t expect this kind of curveball from Apple — where the login email they issued suddenly becomes invalid and breaks access.

We’re waiting for a response from Apple and exploring safe fallback options in the meantime.