Apple Hide My Email Class Action: Privacy Flaw Lawsuit
Privacy · False Advertising · Lawsuit Filed

Apple Hide My Email Class Action: Lawsuit Says Apple Sold Privacy Protection It Couldn't Deliver

Published July 17, 2026

Apple's Hide My Email promises that websites never see your real email address — but a new class action says a flaw reported to Apple in June 2025 let the aliases be traced right back to it, and that Apple kept selling the feature anyway. The case was just filed, and there is nothing to claim yet.

Apple Hide My Email privacy class action lawsuit over alleged flaw unmasking real email addresses behind iCloud+ aliases 2026
Allegations Only · No Settlement Yet

This article describes a class action complaint. The statements below are unproven allegations. Apple Inc. has not been found liable, there is no certified class, and there is nothing to claim at this time. The underlying vulnerability claims are a security researcher's reported findings, not Apple-confirmed facts. This page is general information, not legal advice.

What Is the Apple Hide My Email Lawsuit About?

Hide My Email is one of Apple's marquee privacy features: it generates random relay addresses like xyz123@icloud.com that forward to your real inbox, so the websites and apps you sign up for never learn your actual email address. It ships with paid iCloud+ subscriptions and powers the free relay addresses created through Sign in with Apple. A proposed class action, Alvarez v. Apple Inc., filed July 15, 2026 in the U.S. District Court for the Northern District of California, alleges the feature could not deliver the privacy Apple promised.

The complaint centers on a reported vulnerability: security researcher Tyler Murphy, co-founder of the data-removal service EasyOptOuts, says he discovered a way to unmask the real email address behind a Hide My Email alias and reported it to Apple in June 2025 with reproduction steps. In his limited tests, he says, every alias he checked was exploitable. The lawsuit alleges Apple knew about the flaw for more than a year while continuing to market Hide My Email as private — "selling customers privacy it couldn't provide," in the complaint's framing. None of the claims has been proven, and no court has ruled on the merits.

Status Complaint Filed · No Settlement filed July 15, 2026 in the Northern District of California
Case Alvarez v. Apple Inc. N.D. Cal. · case number pending docket confirmation
Can I Claim? No — nothing to claim yet no certified class, no settlement, no claim form

The Vulnerability Timeline

According to press reports of the researcher's account:

June 2025 — Murphy reports the flaw to Apple with steps to reproduce it. Apple acknowledges the report about a month later.
March 2026 — Apple reportedly says it has fixed the issue; Murphy tests again and finds the aliases still exploitable.
Late May 2026 — Apple says a fix is coming in a security update "expected in the coming weeks."
July 1, 2026 — the flaw becomes public through tech-press reporting. The technical details are deliberately withheld because the issue reportedly remained exploitable.
July 15, 2026 — the class action is filed.

The exact mechanics of the flaw have never been published, and Apple has not publicly confirmed the researcher's characterization. The "every alias was exploitable" figure is Murphy's claim from his own limited testing, not an Apple-confirmed finding.

What the Named Plaintiff Alleges

The named plaintiff, a California resident, says he bought an iPhone and subscribed to the 200GB iCloud+ tier in March 2025, relying on Apple's privacy representations — including Hide My Email — and that he would not have paid as much, or at all, had he known the feature's protections could fail. The complaint reportedly asserts claims under California's False Advertising Law along with fraud and breach-of-contract theories.

One detail worth noting: coverage of the complaint points out that it does not allege the vulnerability was ever actually used in an attack, or that the plaintiff's own address was unmasked. The theory is economic — customers allegedly overpaid for privacy protections that were overstated — rather than a claim that anyone's data was actually exposed.

Who Could Be Affected?

The complaint reportedly proposes four classes of U.S. Apple customers, including two California subclasses — spanning people who used Hide My Email through paid iCloud+ plans and people who created free relay addresses through Sign in with Apple. The complaint pleads an amount in controversy exceeding $5 million. Exact class definitions would be decided later if the case advances past the pleading stage.

The suit seeks damages and injunctive relief that would require Apple to either fix Hide My Email or clearly disclose its limitations, with a jury trial demanded. Apple has not publicly commented on the lawsuit.

Apple's Other Privacy Litigation

Privacy is central to Apple's brand — which is exactly why it keeps drawing privacy litigation. We cover several related cases, including the Apple Safari fingerprinting class action, the Apple Face ID biometric privacy lawsuit, and the UK's £3 billion iCloud class action. Each case stands on its own allegations, and none has resulted in a finding that Apple misrepresented its privacy features.

What Should You Do Now?

There is nothing to file at this stage — no settlement and no claim form exist. If you use Hide My Email, keep the feature's aliases in service (deleting them can break logins), install Apple's security updates promptly, and — if an alias starts receiving spam addressed to your real identity — note the dates, since that is the kind of evidence class members are sometimes asked about. If you want legal advice, consult a privacy or consumer-protection attorney licensed in your state. OpenClassActions.com is a consumer news site, not a law firm, and does not provide legal advice or process claims. We will update this page when the docket confirms the case number and the full list of claims.

Frequently Asked Questions

What is the Apple Hide My Email lawsuit about?

A proposed class action, Alvarez v. Apple Inc., filed July 15, 2026 in the U.S. District Court for the Northern District of California, alleges Apple misrepresented the privacy protections of Hide My Email — the feature that creates random relay email addresses so websites never see your real one. The complaint points to a security researcher's report that a flaw let the aliases be traced back to users' real email addresses, and alleges Apple knew about the problem for over a year while continuing to market the feature. These are unproven allegations; Apple has not been found liable and has not publicly commented on the suit.

What is the Hide My Email vulnerability?

Security researcher Tyler Murphy reported to Apple in June 2025 that he found a way to unmask the real email address behind a Hide My Email alias, saying that in his limited tests every alias he checked was exploitable. The technical details have deliberately not been published because the issue reportedly remained exploitable. Apple reportedly said in March 2026 that it had fixed the issue, but the researcher found it still worked; in late May 2026 Apple said a fix was coming in an upcoming security update. The flaw became public on July 1, 2026. These are the researcher's claims — Apple has not confirmed the details.

Is there an Apple settlement or claim form yet?

No. The case is at the complaint stage. There is no certified class, no settlement, and no claim form, so nothing can be claimed at this time.

Who could be affected by the Hide My Email lawsuit?

The complaint reportedly proposes four classes of U.S. Apple customers, including two California subclasses — covering people who used Hide My Email through a paid iCloud+ subscription and people who created free relay addresses through Sign in with Apple. Exact class definitions would be decided later if the case advances.

Does the lawsuit claim anyone's email was actually exposed?

Notably, no. Press coverage of the complaint notes it does not allege the vulnerability was actually used in an attack or that the named plaintiff's own address was unmasked. The theory is economic: that customers paid for a privacy feature that allegedly could not deliver what Apple promised, and would not have paid as much — or at all — had they known.

Sources

• MacRumors, "Apple Sued Over Reported Hide My Email Flaw" — MacRumors
• AppleInsider, "Hide My Email class action lawsuit seeks payout without evidence of any attacks" — AppleInsider
• 9to5Mac, "Class action accuses Apple of misleading users about Hide My Email's privacy protections" — 9to5Mac
• TechCrunch, "Apple's Hide My Email feature has a bug that's been exposing real email addresses, researcher claims" — TechCrunch



For more class actions keep scrolling below.
Status Complaint filed — no settlement, no certified class
Case Title Alvarez v. Apple Inc.
Case Number Pending docket confirmation
Court U.S. District Court, Northern District of California
Date Filed July 15, 2026
Claims California False Advertising Law · fraud · breach of contract (as reported)

Related Apple & Privacy Lawsuits