Front  /  Privacy

Apple Sued Over Hide My Email Flaw That Unmasks Real Addresses

Renting anonymity works right up until the landlord leaves the door unlocked.

Apple Sued Over Hide My Email Flaw That Unmasks Real Addresses

Stand against censorship and surveillance: join Reclaim The Net

Apple sells Hide My Email as a wall between your inbox and everyone who wants a piece of it. A California customer says that wall was never really standing, and that Apple kept charging for it anyway.

Anthony Alvarez filed a proposed class action against Apple this week, accusing the company of taking money for privacy it could not deliver. His complaint lands after reporting that the real address behind any Hide My Email alias can be dug up by almost anyone, through a flaw Apple has sat on for more than a year and still has not closed.

We obtained a copy of the lawsuit for you here

More: The Right Way to Hide Your Email Address

The feature works as a buffer. You generate a random alias, hand it to an app or a newsletter, and Apple forwards the mail to your real account while keeping that account out of sight. Sign in with Apple bundles it free. iCloud+ subscribers who pay from $0.99 a month get a broader version for any site they choose. The whole idea is anonymity you can rent.

However, Tyler Murphy, co-founder of EasyOptOuts, found a way to trace the real address behind an alias and reported it to Apple in June 2025, replication instructions included. 404 Media, which confirmed the flaw using one of its own aliases, found that in tests with volunteers every Hide My Email address it checked could be unmasked. The publication is holding back the technical specifics because the flaw still works.

Murphy went public after a year of waiting for a fix that never came. “Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” he said.

Apple acknowledged Murphy’s report a month after he sent it. In March 2026 it told him it had “addressed the reported issue in a recent system change,” though the flaw stayed open. By late May, Apple said a fix was “expected in the coming weeks.” Murphy suggested the company stop minting new aliases until it could actually protect them, and Apple gave no sign of doing so.

Murphy has been clear about who a leak endangers. “Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk,” he said. The customers most likely to need a throwaway alias, the ones hiding from a stalker or an abuser, are exactly the customers a leak wounds first.

Alvarez’s complaint turns that risk into a bill. “Apple has known of the problem for over a year, and the flaw remains unfixed to this day—all while Apple continues to profit from Hide My Email and from its promises of privacy,” it reads. Alvarez describes himself as “one of the millions of customers who paid Apple for iCloud+ and relied on Apple’s representations that Hide My Email would keep his personal email address hidden.”

Alvarez argues that customers paid for privacy twice over. “Plaintiff and Class Members paid Apple for their privacy—iCloud+ subscribers though the price-premium built into iCloud+ subscription fees, and all Apple customers through the price premium built into Apple products that Apple markets as including enhanced privacy protections and features such as Hide My Email,” the filing states.

The complaint stacks up nine causes of action, among them violations of California’s Unfair Competition Law, False Advertising Law, and Consumers Legal Remedies Act, alongside fraud, negligent misrepresentation, breach of contract, breach of implied contract, breach of implied warranty of merchantability, and unjust enrichment.

Alvarez wants damages, restitution, a jury trial, and “injunctive relief to ensure Apple ceases its deceptive conduct and either delivers the privacy protection it promised or clearly discloses that it cannot.” He is asking the court to certify four classes covering Apple device owners and iCloud+ subscribers, nationwide and in California, with combined claims the complaint values above $5 million.

The suit also argues this fits a habit rather than a one-off. It cites a 2023 finding that Apple’s randomized MAC address feature, another tool sold on privacy, had failed to mask users’ real hardware identifiers for three years.

Apple has stayed silent on the lawsuit.

Stand against censorship and surveillance: join Reclaim The Net

Reclaim The Net is reader-supported. Every contribution widens the reach, helping more people see the threat to privacy and free expression, and push back.

Explore more on these topics