New Lawsuit Filed Against Apple for 'Hide My Email' Privacy Vulnerability
A major flaw in Apple's Hide My Email feature exposes users' real email addresses to anyone who can look them up online.
- Apple's Hide My Email feature, launched in September 2021 with iOS 15, has an unpatched vulnerability that allows third parties to retrieve users' real iCloud email addresses through a simple server-side query.
- The class action lawsuit was filed on March 10, 2025, in the Northern District of California, naming lead plaintiff Sarah Jenkins and seeking damages for millions of iCloud+ subscribers.
- Security researchers disclosed the flaw to Apple in November 2024, but the company has not yet released a fix, according to the lawsuit.
- Hide My Email is a core part of Apple's iCloud+ service, which costs $0.99 per month and is used by over 400 million paying customers worldwide.
- The lawsuit cites violations of California's Consumer Legal Remedies Act and Unfair Competition Law, and could lead to mandatory disclosures or software changes if Apple loses.
A class action lawsuit filed against Apple in the U.S. District Court for the Northern District of California on March 10, 2025, claims that the company's Hide My Email feature contains a fundamental privacy flaw. The suit argues that Apple misled consumers by advertising the tool as a way to keep their personal email addresses secret, when in fact the feature leaks real addresses through a simple online lookup. The case highlights growing tensions between Apple's privacy marketing and the actual security of its cloud services.
Hide My Email, introduced with iOS 15 in 2021, lets users generate unique, random email addresses that forward to their real iCloud email. The feature is a cornerstone of Apple's broader privacy narrative, especially with iCloud+ subscribers who pay for enhanced protections. However, security researchers discovered that the system's forwarding mechanism can be manipulated: by querying Apple's servers in a specific way, anyone can reveal the real destination email address behind a forwarding alias. Apple has not yet patched the issue, despite being notified months ago.
The lawsuit, brought by lead plaintiff Sarah Jenkins on behalf of affected iCloud+ users, seeks unspecified damages and an injunction requiring Apple to fix the vulnerability. It names Apple Inc. as the sole defendant and cites breaches of California consumer protection laws. The plaintiffs' lawyers argue that Apple's failure to disclose the flaw violates its own privacy promises and state law. Apple has not commented publicly on the litigation, but the case is likely to attract attention from regulators and privacy advocates.
This is not the first time Apple's privacy features have faced scrutiny. In 2022, a similar flaw was found in iCloud Private Relay, and the company has been hit with multiple lawsuits over Siri recordings and location tracking. The Hide My Email case, however, strikes at the core of Apple's value proposition: selling devices that protect user data. If the court finds that Apple knew about the weakness and did nothing, it could damage consumer trust and invite more aggressive oversight from the Federal Trade Commission.
The immediate next step is a status conference scheduled for May 2025, where Apple will likely file a motion to dismiss. Privacy watchers will also be watching for any emergency patches or security advisories from Apple. For now, users who rely on Hide My Email should reconsider trusting it with sensitive accounts—at least until Apple proves it can keep their real addresses truly hidden.
Frequently Asked Questions
The flaw allows anyone to look up the real email address behind an Apple Hide My Email alias by querying Apple's servers with a specific technique. This defeats the purpose of the feature, which is meant to keep your personal email private.
Hide My Email generates random email addresses that forward messages to your actual iCloud email. It is available to iCloud+ subscribers and can be used when signing up for newsletters, websites, or services to avoid giving out your real address.
Security researchers discovered a method to reveal the destination email of any Hide My Email alias. Apple has not yet patched the vulnerability, meaning the feature is not currently secure against determined attackers.
The lawsuit is a class action filed by lead plaintiff Sarah Jenkins, representing all iCloud+ subscribers who used Hide My Email. It was filed March 10, 2025, in the U.S. District Court for the Northern District of California.
If the court rules against Apple, the company may be required to pay damages, issue refunds, fix the vulnerability, and change its privacy marketing. The case could also trigger regulatory investigations into Apple's iCloud services.
Until Apple issues a patch, consider avoiding the use of Hide My Email for sensitive accounts. Use dedicated email aliases from services like DuckDuckGo or SimpleLogin, or create separate email accounts for different purposes.
Original source
www.cnet.com
Discussion
Join the discussion
Sign in to post a comment or reply.
No comments yet. Be the first to share your thoughts!