Apple’s Hide My Email feature was designed to keep users’ personal inboxes private. A new lawsuit alleges the privacy tool may not have delivered that protection as advertised.
A proposed class action filed in California claims Apple misled customers about an alleged flaw that could reveal the real email addresses behind Hide My Email aliases. The complaint says Apple knew about the issue for more than a year while continuing to market the feature through Sign in with Apple and iCloud+.
Apple had not publicly responded to the lawsuit at the time of writing.
Lawsuit challenges Apple’s privacy promises
California resident Anthony Alvarez filed the complaint on behalf of himself and other Apple customers who used Hide My Email.
“The flaw remains unfixed to this day, all while Apple continues to profit from Hide My Email and from its promises of privacy,” the complaint said, per 9to5Mac.
MacRumors noted that a security researcher reportedly alerted Apple in June 2025. Apple reportedly told the researcher that it had addressed the flaw in March 2026, but the researcher allegedly found that it remained exploitable. No known cases of exploitation have been reported, and technical details have not been publicly released.
According to The Mac Observer, Alvarez wants the court to certify nationwide and California groups covering Apple customers and iCloud+ subscribers. The complaint alleges that their combined claims exceed $5 million, although it did not provide a detailed calculation.
How Hide My Email is supposed to work
Hide My Email generates unique email addresses that forward messages to a user’s personal inbox. Websites, apps, and newsletters see the alias instead of the underlying address.
Apple offers a basic version through Sign in with Apple. 9to5Mac noted that the broader version comes with iCloud+ subscriptions, which start at $0.99 per month and allow users to create additional aliases for online services.
The feature can help reduce spam and limit how many companies collect a person’s primary email address. It does not encrypt messages or make the user anonymous.
Put simply, Hide My Email works as a separation layer between a person’s inbox and the businesses or services they interact with.
Must-read Apple coverage
- Nearly 7 in 10 iPhone Owners Plan iPhone 17 Upgrade
- Apple Prepares AI-Powered Siri Upgrade With Google Search Integration
- Apple’s Xcode 26 Beta Now Supports GPT-5 and Claude
- Apple’s Vision Pro Adoption Stalled As Content Released ‘Drip by Drip’
What Hide My Email users could risk exposing
An email address can reveal more than where someone receives messages. Companies often use addresses as account identifiers, while data brokers and attackers can use them to connect activity across multiple services.
If the alleged flaw allows a Hide My Email alias to be traced back to the underlying address, users may face more targeted phishing, profiling, spam, or account-recovery attacks. The risk becomes greater when the exposed address already appears in leaked databases with names, phone numbers, passwords, or other personal details.
Organizations that allow employees to use personal Apple IDs or Hide My Email aliases for work-related services may also want to review whether email aliases are appropriate for account recovery or identity verification.
Security teams should treat aliases as a privacy layer, not a complete identity-protection control, particularly when an exposed address could be matched with information from previous data breaches.
The lawsuit has not established that Apple violated the law or that attackers exposed users’ addresses in real incidents. Its outcome may still influence how technology companies describe privacy tools and disclose their limitations.
The court must still decide whether the lawsuit can proceed as a class action, and Apple has not publicly addressed the allegations. Until more technical details emerge, users should view email aliases as an additional privacy layer—not a guarantee that their identity cannot be linked to an underlying address.
More News: Read our breakdown of Apple’s 2026 security year, including zero-days, iPhone exploit kits, WebKit fixes, and background patches users and IT teams should track.