New Lawsuit Filed Against Apple for ‘Hide My Email’ Privacy Vulnerability
New Lawsuit Filed Against Apple for ‘Hide My Email’ Privacy Vulnerability
Publish Date: 2026-07-16 18:45:00
Source Domain: www.cnet.com
A couple of weeks ago, I wrote about a bug in Apple’s iCloud Hide My Email tool that appeared to reveal users’ real email addresses to anyone who wanted to find them. On Wednesday, a lawsuit was filed in California, Alvarez v. Apple Inc., accusing Apple of false advertising, fraud and breach of contract for selling a privacy perk that it allegedly could not deliver.
Read more: Best iPhones of 2026
The Hide My Email feature, which lets you generate a temporary, anonymized email address with the iCloud.com domain, is often used to protect privacy when signing up for subscriptions or logging into new or unverified websites. The feature is currently available with a paid iCloud Plus subscription.
The lawsuit claims that a known security vulnerability in Hide My Email exposes the true email addresses behind the randomly generated email aliases. The suit says that Apple was made aware of this flaw by a security researcher in June 2025, but left the issue unresolved while continuing to advertise the feature as a secure privacy tool.
The suit, which seeks class action status, requests a jury trial and states that the value of the claims is greater than $5 million. In addition to seeking financial compensation, the suit also requests that Apple fix the Hide My Email vulnerability or disclose its limitations.
An Apple representative didn’t immediately respond to a request for comment.
The flaw was discovered by Easy Opt Outs and reported to 404 Media, though the details of the flaw were largely kept hidden. Research found that basic online identity search tools could analyze iCloud temporary email addresses and uncover users’ real addresses. 404 Media reported that 100% of the Hide My Email addresses on the two websites tested were exploitable.
That’s why the vulnerability is dangerous. Once a malicious actor has that real email address, they could plug it into any available online public-record database to uncover the user’s name, address, phone number and other…