2 min read

Apple Faces $5M Suit Over Hide My Email Flaw

A new California lawsuit says Apple sold Hide My Email as a privacy feature despite a known flaw that could expose users' real addresses.

Image: CNET

Apple is facing a new lawsuit in California over iCloud Hide My Email, with the complaint alleging the company marketed a privacy feature it allegedly could not fully deliver. Filed Wednesday as Alvarez v. Apple Inc., the case accuses Apple of false advertising, fraud, and breach of contract.

Hide My Email lets users create temporary anonymized addresses ending in iCloud.com, a feature commonly used when signing up for subscriptions or logging into unfamiliar sites. It is available through a paid iCloud Plus subscription. According to the lawsuit, a known security flaw can expose the real email addresses behind those aliases.

The complaint says Apple was alerted to the issue by a security researcher in June 2025 but continued promoting the feature as a secure privacy tool without fixing the problem. The suit is seeking class action status, requests a jury trial, and says the value of the claims exceeds $5 million. It also asks the court to require Apple to either fix the flaw or clearly disclose the feature’s limits.

Apple did not immediately respond to a request for comment, according to the source.

The vulnerability was discovered by Easy Opt Outs and reported by 404 Media, which withheld most technical details. Research cited by the report found that basic online identity search tools could analyze temporary iCloud addresses and reveal the real addresses behind them. 404 Media said 100% of the Hide My Email addresses tested across two websites were exploitable.

Recommended reading

Data brokers can still profile you offline

That exposure could have broader consequences. Once someone has a real email address, they may be able to use public-record databases to uncover a person’s name, address, phone number, and other personal details. The address could also be checked against password lists from major data breaches.

Apple is also preparing a change to the feature later this summer, according to its own reports, switching addresses from “iCloud.com” to “private.iCloud.com.” That could make it easier for websites to block the aliases, potentially pushing users toward using their real address or a third-party temporary email service instead.

For now, users interested in joining the case may have to wait: class actions must go through a lengthy court certification process, and this lawsuit is split between California users and US-wide Apple users.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via CNET

// Keep reading