Apple's Hide My Email promises that websites never see your real email address — but a new class action says a flaw reported to Apple in June 2025 let the aliases be traced right back to it, and that Apple kept selling the feature anyway. The case was just filed, and there is nothing to claim yet.
This article describes a class action complaint. The statements below are unproven allegations. Apple Inc. has not been found liable, there is no certified class, and there is nothing to claim at this time. The underlying vulnerability claims are a security researcher's reported findings, not Apple-confirmed facts. This page is general information, not legal advice.
A proposed class action, Alvarez v. Apple Inc., filed July 15, 2026 in the U.S. District Court for the Northern District of California, alleges Apple misrepresented the privacy protections of Hide My Email — the feature that creates random relay email addresses so websites never see your real one. The complaint points to a security researcher's report that a flaw let the aliases be traced back to users' real email addresses, and alleges Apple knew about the problem for over a year while continuing to market the feature. These are unproven allegations; Apple has not been found liable and has not publicly commented on the suit.
Security researcher Tyler Murphy reported to Apple in June 2025 that he found a way to unmask the real email address behind a Hide My Email alias, saying that in his limited tests every alias he checked was exploitable. The technical details have deliberately not been published because the issue reportedly remained exploitable. Apple reportedly said in March 2026 that it had fixed the issue, but the researcher found it still worked; in late May 2026 Apple said a fix was coming in an upcoming security update. The flaw became public on July 1, 2026. These are the researcher's claims — Apple has not confirmed the details.
No. The case is at the complaint stage. There is no certified class, no settlement, and no claim form, so nothing can be claimed at this time.
The complaint reportedly proposes four classes of U.S. Apple customers, including two California subclasses — covering people who used Hide My Email through a paid iCloud+ subscription and people who created free relay addresses through Sign in with Apple. Exact class definitions would be decided later if the case advances.
Notably, no. Press coverage of the complaint notes it does not allege the vulnerability was actually used in an attack or that the named plaintiff's own address was unmasked. The theory is economic: that customers paid for a privacy feature that allegedly could not deliver what Apple promised, and would not have paid as much — or at all — had they known.
Free settlement alerts
Join thousands of readers who get the latest class action settlements you may qualify for — delivered straight to your inbox.