Apple Hit with Class Action Lawsuit Over ‘Hide My Email’ Privacy Leak
Apple
Toggle Dark Mode
A proposed class action lawsuit has been filed against Apple over a reported “Hide My Email” flaw that could expose an iCloud+ user’s actual email address (PDF). While there have been no reports of the flaw actually being exploited, the proposed class action lawsuit claims Apple violated California’s false advertising law, as well as other California consumer protection statutes by offering a feature that it knows does not work as advertised.
In early June, researchers announced that they had discovered a serious flaw in Apple’s “Hide My Email” feature that could reveal a user’s real email address. The folks over at 404 Media confirmed the flaw’s existence and were able to exploit the flaw each and every time. However, the apparent vulnerability has not been exploited in the wild, as far as anyone knows, as the steps have not yet been shared with the public to avoid providing a roadmap for bad actors or even the simply curious.
Sadly, the security flaw was reported to Apple more than a year ago, and they still haven’t put a fix in place, says Tyler Murphy, co-founder of EasyOptOuts, the company that first discovered the flaw and filed the report with Apple.
Anthony Alvarez filed the proposed class action lawsuit against Apple in the US District Court for the Northern District of California on Wednesday, July 15, without alleging that the security vulnerability had been used in an attack or that the plaintiff’s email address had been exposed. The complaint instead rests solely on the marketing of Hide My Email, accusing the Cupertino company of false advertising, fraud, breach of contract, and other violations.
The filing argues that Apple sold customers a privacy feature it couldn’t actually provide. The claims cover both the full version included with paid iCloud+ plans, as well as the more limited relay addresses generated via Sign in with Apple.
Alvarez’s lawsuit seeks damages and an order requiring Apple to fix Hide My Email or clearly disclose its limitations by asking to represent four proposed classes covering US Apple customers, including two California subclasses.
So far, the allegations haven’t been tested in court, and no class has yet been certified.
What the Lawsuit is About
Security researcher Tyler Murphy discovered the flaw and reported it to Apple in June 2025. The vulnerability did not become public until July 1 after Apple had failed to fix the reported flaw for more than a year.
While Apple said in March 2026 that a system update had fixed the issue, with further testing, Murphy found that the vulnerability was still exploitable. Apple then told Murphy it would be addressing the problem in a future upgrade.
404 Media on June 29 confirmed that the vulnerability that could connect a Hide My Email relay address with the real email account behind it was still available. The publication once again withheld the technical details because the flaw had not been fixed.
Does It Deserve to Be a Class Action Lawsuit?
Despite valid criticism over Apple failing to resolve the issue while continuing to run iCloud+ advertisements, neither the complaint nor any public reports have identified an actual attack in the wild.
The plaintiff does not allege that anyone uncovered or misused his email address, sent him unwanted messages, or otherwise exploited the vulnerability against him.
Instead, Alvarez’s claim is based strictly on financial damages, as he says he purchased an iPhone, then subscribed to the 200GB iCloud+ tier, on or around March 15, 2025. He claims he wouldn’t have paid as much for the service if he had known about the Hide My Email security flaw.
The lawsuit claims four proposed classes should be compensated, including buyers of new Apple hardware who used the Hide My Email feature bundled via Sign in with Apple.
The iCloud+ related charges could be considered proper, given that Apple explicitly mentions Hide My Email as part of a paid subscription and customers should rightfully expect the feature to perform as advertised. However, the hardware complaint attempts to tie part of an iPhone’s or Mac’s price to the Hide My Email feature, without explaining the value of the feature, and how the court could possibly separate that value from the rest of the device.
While Apple did mishandle a real privacy flaw, and such flaws should be fixed as soon as a company discovers them, this lawsuit appears to be a bit of a financial grab, rather than seeking compensation for a class of consumers who were actually damaged by the vulnerability.
