
A couple of weeks ago, I wrote about a bug in Apple’s iCloud Hide My Email tool that appeared to reveal users’ real email addresses to anyone who wanted to find them. On Wednesday, a lawsuit was filed in California, Alvarez v. Apple Inc., accusing Apple of false advertising, fraud and breach of contract for selling a privacy perk that it allegedly could not deliver.
Read more: Best iPhones of 2026
The Hide My Email feature, which lets you generate a temporary, anonymized email address with the iCloud.com domain, is often used to protect privacy when signing up for subscriptions or logging into new or unverified websites. The feature is currently available with a paid iCloud Plus subscription.
The lawsuit claims that a known security vulnerability in Hide My Email exposes the true email addresses behind the randomly generated email aliases. The suit says that Apple was made aware of this flaw by a security researcher in June 2025, but left the issue unresolved while continuing to advertise the feature as a secure privacy tool.
The suit, which seeks class action status, requests a jury trial and states that the value of the claims is greater than $5 million. In addition to seeking financial compensation, the suit also requests that Apple fix the Hide My Email vulnerability or disclose its limitations.
An Apple representative didn’t immediately respond to a request for comment.
The flaw was discovered by Easy Opt Outs and reported to 404 Media, though the details of the flaw were largely kept hidden. Research found that basic online identity search tools could analyze iCloud temporary email addresses and uncover users’ real addresses. 404 Media reported that 100% of the Hide My Email addresses on the two websites tested were exploitable.
That’s why the vulnerability is dangerous. Once a malicious actor has that real email address, they could plug it into any available online public-record database to uncover the user’s name, address, phone number and other sensitive details. It could also be used to gain access to password lists sold from large-scale data leaks.
It’s worth noting that Apple is planning changes to Hide My Email that could make it less friendly to privacy advocates. Apple’s own reports say it will update the tool later this summer to switch the addresses from “iCloud.com” to “private.iCloud.com.” That could allow websites to filter out the new addresses, forcing Apple users to either substitute their real address or use a third-party temporary website tool instead.
If you use Hide My Email and are worried your own email has been exposed, be patient: Lawsuits like these must go through a lengthy certification process by a court, so it will be a while before they are opened to join, if at all. This suit is divided into Californian and US-wide Apple users. I’ll let you know when it’s possible to join, and who can sign up.







