Apple spent years building a privacy vulnerability brand, and Hide My Email was a centerpiece of that pitch — a paid iCloud+ feature promising that your real address would stay invisible. Security researcher Tyler Murphy reportedly found the opposite. He discovered the vulnerability in mid-2025, reported it to Apple in June of that year, and waited. Apple acknowledged the bug in July 2025 and claimed it was patched by March 2026. Then 404 Media tested their own Hide My Email alias. Still leaking. A proposed class action lawsuit has since followed, alleging Apple violated California’s false advertising and consumer protection laws.
A Fix That Wasn’t
Apple claimed the vulnerability was resolved — independent testing says otherwise.
You know that sinking feeling when you check the lock on your front door and realize it’s been decorative this whole time? That’s roughly what happened here. After Apple told Murphy the bug was fixed, he ran controlled tests with volunteers. The result: 100% of Hide My Email addresses were exploitable. Every single one. Murphy told Mashable: “In our limited tests with volunteers, 100% of Hide My Email addresses were exploitable.” 404 Media verified the flaw independently on their own aliases.
Apple reportedly asked Murphy not to publish the exploit’s technical steps, saying a patch was expected “in the coming weeks.” Neither Murphy nor 404 Media has disclosed the method — a responsible call, given the flaw reportedly remains active. No known real-world attacks have been confirmed. This is a vulnerability that’s serious in principle but unconfirmed in damage. Think of it like a Chekhov’s gun: the fact it hasn’t fired yet doesn’t change the risk calculus.
Here’s what’s confirmed so far:
- Murphy reported the flaw to Apple in June 2025
- Apple claimed it was fixed in March 2026; independent testing showed it was not
- 100% of aliases tested were exploitable in controlled conditions
- No real-world exploitation has been reported
- The flaw targets the aliasing layer only — passwords and Apple ID accounts are not directly exposed
Privacy as a Brand, Not a Guarantee
A proposed class action alleges Apple kept marketing a broken privacy feature after learning of the flaw.
Apple promised a solution. The problem persisted anyway. The complaint argues Apple knew about the flaw for nearly a year and continued promoting Hide My Email without adequate disclosure. 404 Media stated plainly: “We are not revealing the exact details of the vulnerability because it can still be exploited.” The cultural stakes stretch beyond a single bug. This is a stress test for whether “privacy by design” carries legal weight — or just makes good billboard copy.
If you’re a journalist, activist, or lawyer who used Hide My Email as a safety layer rather than a spam filter, the risk calculus changes entirely. The lawsuit joins a growing pattern — AirTag stalking suits, on-device scanning debates — where courts examine whether Apple’s privacy marketing matches technical reality. The precedent question matters well beyond Cupertino, potentially shaping how marketing language around privacy features is treated legally across the entire tech sector.
Until Apple confirms a verified fix, treat Hide My Email as unreliable for sensitive sign-ups. For shopping sites and newsletters, the risk remains uncertain but non-zero. The lawsuit sits at the proposed class stage with no rulings yet, and Apple has not publicly addressed the legal allegations. Watch for a class certification hearing, any verified patch announcement from Apple, or follow-up testing from independent researchers — those will be the clearest signals of where this heads next.




























