Apple's Privacy Promise Faces a Reckoning Over Hide My Email

Apple's Privacy Promise Faces a Reckoning Over Hide My Email

Apple built its brand on privacy. "What happens on your iPhone, stays on your iPhone." Hide My Email was supposed to be a cornerstone of that promise — a paid iCloud+ feature that lets you generate random, disposable email addresses to shield your real inbox from spam, data brokers, and unwanted tracking.

But according to a proposed class action filed July 16 in California, that promise may have been hollow for over a year.

Here's the short version: Security researcher Tyler Murphy discovered a vulnerability in Hide My Email back in June 2025. The flaw allows anyone with basic know-how to trace a generated @icloud.com alias back to the user's real email address. Murphy reported it to Apple. Apple acknowledged it a month later. In March 2026, Apple told Murphy the bug was fixed.

It wasn't.

Murphy ran controlled tests with volunteers. 100% of Hide My Email addresses tested were exploitable. 404 Media independently verified the flaw on their own aliases — Murphy reportedly returned the real email associated with a fresh Hide My Email address in about five minutes.

Apple asked Murphy not to disclose the technical details, saying a patch was "expected in the coming weeks". That was May 2026. As of late June, the vulnerability remained unpatched. Murphy went public on July 1.

The lawsuit, filed by California resident Anthony Alvarez, alleges Apple violated California's false advertising and consumer protection laws. The complaint argues that Apple knew about the flaw for over a year but continued marketing Hide My Email as a secure privacy tool — all while profiting from iCloud+ subscriptions and the premium pricing Apple products command thanks to their privacy reputation.

The suit seeks class-action status, with claims exceeding $5 million, and asks the court to order Apple to either fix the vulnerability or clearly disclose its limitations.

What does this mean for you?

Hide My Email doesn't expose your Apple ID password or grant account access. But your real email, once revealed, can be plugged into people-search databases to uncover your name, address, phone number, and other sensitive details. That's a risk for journalists, activists, or anyone relying on the feature for genuine privacy protection.

Apple hasn't publicly commented on the lawsuit. The company is also planning to shift Hide My Email addresses from @icloud.com to @private.icloud.com — a change that may make them easier for websites to identify and block, further reducing the feature's usefulness.

For now, if you're using Hide My Email for anything beyond avoiding junk mail, it's worth reconsidering what you're actually protected from. Apple's privacy brand may be strong, but this case suggests that when it comes to one of its flagship features, the lock might have been decorative this whole time.

إرسال تعليق

أحدث أقدم