Connect with us

News

Apple Sued Over Hide My Email Flaw It Twice Called Fixed

A California iPhone owner sued Apple on July 15, alleging Hide My Email exposed real addresses for over a year despite two claimed fixes.

Published

on

A California iPhone owner sued Apple on July 15 over a Hide My Email flaw that a researcher says exposed real addresses for more than a year. The proposed class action, filed in the U.S. District Court for the Northern District of California, accuses Apple of selling privacy it could not deliver through a feature bundled into paid iCloud+ plans and the free Sign in with Apple service.

No one has alleged an actual attack. The case instead rests on a financial theory: that customers overpaid for privacy Apple knew was broken. That theory is shakier than the timeline behind it, in which Apple told the researcher who found the bug that it was fixed, twice, while his own retesting kept proving otherwise.

The Complaint Targets Four Classes of Apple Customers

Anthony Alvarez, a California resident, filed the complaint against Apple on July 15. It accuses the company of false advertising, fraud, and breach of contract tied to its marketing of Hide My Email, alongside negligent misrepresentation and violations of California consumer protection law.

The complaint lists several legal theories at once:

  • False advertising over marketing Hide My Email as private
  • Fraud for continuing to sell the feature after learning of the flaw
  • Breach of contract for not delivering the privacy protections promised
  • Negligent misrepresentation of the feature’s actual capabilities
  • Violations of California’s consumer protection statutes

Alvarez says he bought an iPhone and subscribed to the 200GB iCloud+ tier around March 15, 2025, and would not have paid as much had he known the feature could fail. He wants a jury, not a judge, to hear the case and wants Apple ordered to either fix Hide My Email or clearly disclose what it cannot guarantee.

Proposed Class Who It Covers Core Claim
Nationwide device class U.S. buyers who purchased Apple hardware and used Hide My Email through Sign in with Apple Paid a device price reflecting privacy features that did not work
California device subclass California residents within the nationwide device class Adds state false advertising and consumer protection claims
Nationwide iCloud+ class U.S. iCloud+ subscribers who used Hide My Email Paid subscription fees for a feature that failed to hide their address
California iCloud+ subclass California residents within the iCloud+ class Adds state false advertising and consumer protection claims

The complaint puts the combined value of the four proposed classes’ claims above $5 million, not counting interest or legal costs, though it does not explain how that figure was reached.

Why Is Apple Being Sued Now?

Apple is being sued now because the flaw only became public two weeks earlier, after more than a year of promises that it had already been handled. The researcher who found it went to 404 Media once Apple’s repeated assurances stopped holding up under his own retesting. The lawsuit followed within fourteen days of that disclosure.

  1. June 2025: Security researcher Tyler Murphy reports the flaw to Apple, with steps to reproduce it.
  2. About a month later: Apple acknowledges the report and says it is investigating.
  3. March 2026: Apple tells Murphy a system change addressed the issue. His retesting shows the flaw still works.
  4. April and May 2026: Apple describes additional checks and says a fix is coming in a future security update.
  5. June 29, 2026: 404 Media independently verifies the flaw still works, using one of its own test addresses.
  6. July 1, 2026: The vulnerability becomes public.
  7. July 15, 2026: Alvarez files the proposed class action in the Northern District of California.

A Feature Used by Millions, Broken for Over a Year

Hide My Email launched in September 2021 with iOS 15 as part of the paid iCloud+ tier, which starts at $0.99 a month. A more limited version comes free through Sign in with Apple. Either way, the pitch is the same: generate a random address, forward the mail, keep the real inbox out of view.

Tyler Murphy, the researcher who found the flaw and co-founder of the paid data-removal service EasyOptOuts, tested that promise directly. In limited tests with volunteers, he found that 100% of Hide My Email addresses could be traced back to the real inbox behind them, he told 404 Media.

We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer.

Murphy said that in the statement he gave 404 Media, adding that Hide My Email users deserve to know their supposedly hidden addresses may not be hidden at all. The complaint says Alvarez is one of millions of iCloud+ customers who paid for exactly that promise.

This Isn’t Apple’s First Privacy Tool to Fail

The complaint leans on history. It cites a 2023 finding that Apple’s randomized MAC address feature, meant to stop Wi-Fi networks from tracking a device over time, was leaking the real hardware identifier instead. TechCrunch reported at the time that researchers called the tool effectively “useless.” Both cases follow the same arc: a privacy feature marketed as complete, later found leaking the very data it promised to hide.

Apple is contesting more than one privacy-adjacent suit at once. A federal judge in San Jose dismissed a $32.8 billion class action on July 14 that had accused the company of failing to stop child sexual abuse material on iCloud, ruling Apple was shielded by Section 230 of the Communications Decency Act. Separately, consumer group Which? is pursuing a £3 billion (roughly $3.9 billion) case in the UK over alleged iCloud storage overcharging, covering an estimated 40 million iPhone and iPad owners and headed for an October 2028 trial.

The Lawsuit’s Weakest Argument Is Its Own

Not every reader of the complaint is convinced it holds together. AppleInsider’s analysis of the filing called it an exercise in “ambulance chasing,” noting that neither the complaint nor any public reporting identifies a single confirmed attack using the flaw.

Alvarez does not claim anyone found or misused his address. His stated injury is financial: he says he would not have paid as much for his iPhone and 200GB iCloud+ plan in March 2025 had he known the feature could fail.

That theory holds up more easily for the iCloud+ subscription, which explicitly bundles the feature, than for the hardware claim. Extending it to the price of an iPhone or a Mac asks a court to isolate what one feature, among hundreds, was actually worth, something the complaint does not attempt to do.

None of that erases the underlying problem. Apple advertised a privacy feature it had been told, repeatedly, was not working, and said the issue was resolved on at least one occasion when it was not.

Apple Has Not Filed a Response

Apple has not commented on the lawsuit. The allegations have not been tested in court, and no class has been certified.

The case now sits with a jury demand, an unspecified damages request, and a request for a court order forcing Apple to either repair Hide My Email or spell out, in plain terms, what it cannot promise.

Frequently Asked Questions

What Does Apple’s Hide My Email Feature Do?

It creates a random, disposable address that forwards messages to a user’s real inbox, so a website or app never sees the actual email behind it. Addresses typically end in @icloud.com or @privaterelay.appleid.com, and Apple is moving new addresses to a unified @private.icloud.com domain as part of an unrelated redesign announced in mid-June 2026.

Is It Still Safe to Use Hide My Email?

There is no confirmed case of anyone’s real address being exposed through malicious use, and Apple has issued no advisory telling customers to stop using the feature. Some coverage of the flaw has suggested that anyone relying on it for protection from harassment or stalking consider a backup option, such as a separate free email-masking service, until a fix is confirmed.

Has Apple Fixed the Hide My Email Vulnerability?

Not as of this reporting. Apple said in March 2026 that a system change addressed the issue, and the researcher who found it says his retesting proved it had not. The company later described additional checks and a fix planned for a future security update, without a confirmed release date.

What Is the Lawsuit Asking Apple to Do?

Beyond damages, the complaint asks a court to order Apple to fix Hide My Email or clearly disclose its limits. Unlike the UK’s iCloud pricing case, which seeks a fixed payout of up to £77 per claimant, Alvarez’s complaint leaves the dollar amount open for a jury to decide if the case moves forward.

Who Would Be Covered If the Case Becomes a Class Action?

No class has been certified yet, so no Apple customer needs to do anything right now. Membership in one of the four proposed groups, nationwide device buyers, California device buyers, nationwide iCloud+ subscribers, or California iCloud+ subscribers, would only take effect if a judge certifies the class or approves a settlement.

What Should Hide My Email Users Do Right Now?

Security researchers who reviewed the flaw suggest standard precautions: turn on multi-factor authentication for accounts tied to a hidden address, delete old aliases no longer in use, and keep devices updated so any eventual patch installs automatically.

I’m a creative thinker, writer, and social media professional who loves sharing tips and ideas to help small businesses grow. My mission is to empower business owners with the knowledge they need to succeed online. I’m passionate about the internet and social media and want to share what I know with others to help them navigate the waters of online business, marketing, and blogging.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending