2 min read

Apple faces lawsuit over Hide My Email flaw

A new California lawsuit says Apple sold Hide My Email as a privacy feature despite a known vulnerability reported in June 2025.

Image: CNET

Apple is facing a new California lawsuit over Hide My Email, with plaintiffs alleging the company marketed the iCloud Plus feature as a privacy safeguard even after learning it could expose users' real email addresses.

Filed Wednesday as Alvarez v. Apple Inc., the suit accuses Apple of false advertising, fraud, and breach of contract. It seeks class action status, requests a jury trial, and says the value of the claims exceeds $5 million. The plaintiffs also want Apple to either fix the flaw or clearly disclose the feature’s limits.

Hide My Email lets users create temporary anonymized addresses on the iCloud.com domain, typically for subscriptions or signups on unfamiliar sites. According to the complaint, a security researcher told Apple about a vulnerability in June 2025, but the company kept promoting the tool as secure without resolving the issue.

The flaw was discovered by Easy Opt Outs and reported by 404 Media, which withheld most technical details. Research cited by the outlet found that basic online identity search tools could analyze temporary iCloud email aliases and reveal the real addresses behind them. 404 Media reported that 100% of the Hide My Email addresses on the two websites tested were exploitable.

That exposure could have broader consequences. Once someone has a real email address, they may be able to use public-record databases to uncover a person’s name, address, phone number, and other sensitive details. The address could also be checked against password lists circulating from major data leaks.

Recommended reading

Cities are ditching Flock cameras as backlash grows

Apple did not immediately respond to a request for comment, according to the source.

The report also notes that Apple plans to update Hide My Email later this summer, switching addresses from “iCloud.com” to “private.iCloud.com.” That change could make it easier for websites to block the aliases, potentially pushing users to share their real address or rely on third-party temporary email services instead.

For now, users worried about joining the case may have to wait. The lawsuit still must pass through the court’s certification process, and the proposed classes cover both California users and Apple users nationwide.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via CNET

// Keep reading