"Your iPhone has been compromised"

There are databases of user ids and passwords that have been stolen from businesses and websites. Apple compares passwords that are in the Keychain app on your phone with that list, and tells you about the ones that appear both in Keychain and the list maintained by security teams. To see the list Apple has compiled go to Settings/Passwords and tap on Security Recommendations. If you have received a message telling you that your passwords have been compromised that is a scam; Apple will never send you such a message.

You can check to see if your user IDs and/or passwords have been compromised by going to https://haveibeenpwned.com. You can search for your users IDs, or click on Passwords on the site and see if any of your passwords are on the list.

You can also register with the site to be notified if any new data breaches have compromised the password for any of your email accounts.

Generally, clicking on phishing links or adware isn’t recommended; however, these “your phone has been compromised” alerts are a fear tactic and an attempt for you input more information on a related link or service that the fake alert will provide. In most cases, closing out of the website alone is sufficient when they pop up as long as you haven’t actively provided personal information.

When it comes to the data leak notification, that’s a new feature of iOS 14 and it will notify you if any of your passwords have appeared in data leaks since these leaks are relatively common. It’s highly likely, that clicking on that particular link you saw had nothing to do with your info being flagged for a potential security issue. It likely was flagged because you use the same username and password for lots of sites and one site that has that information experienced a data leak. Deleting your pictures, apps, or information is generally not sufficient or relevant to solving this problem, because if someone had compromised your accounts already it would have already been too late.

Being proactive and aware that hacks and data breaches are common is best thing you can do to be secure. My advice is to ensure that your important websites and accounts (i.e. Apple ID, banking, email, etc.) have unique passwords that aren’t easily guessed. Also, upgrading to two-factor authentication (or its equivalent) on all sites will gives you an extra level of security. With this in mind, if you are concerned about not being able to remember everything, iCloud Keychain, the passwords section of iPhone settings, and plenty of third party apps have services to assist in managing account security.

Finally, I’d recommend reaching out to Apple Tech Support over the phone or chat (do not waste in-store retail or Genius Bar employees time with this because they have nothing to do with account security) if you have specific question, concerns, or just want general advice related to this feature and overall data privacy. As long as you are patient and receptive to the info they give you, they can be very helpful in moving you in the right direction to be more active and aware of how to protect your data.

You need to change the passwords on any site/service where you used it. Thieves have gained access to the ID/password combinations that were compromised. Sooner or later, they will attempt to log into those accounts using those credentials.

These "leaks" seem to be defined as such by Apple. Apple is looking at our passwords and finding common ones, reused ones, weak ones, etc.. and putting us to work. The fact you changed your Apple password won't matter. It's your other passwords they are looking at. Not happy!

What you initially saw on your phone was a scam. Pure and simple. Your phone was not compromised or hacked.

The message regarding your passwords appearing in a data leak is genuine.

It is warning you that one or more of the passwords you have stored was compromised when the hosting company was compromised... Let me be clear: your phone was NOT compromised.

For example. If you have a Yahoo.com account or a yahoo mail account provided AT&T or another ISP who uses yahoo to provide their mail services, you need to know that your ID/password combination on yahoo was compromised when Yahoo got hacked, along with about 3 BILLION other accounts.

If you were using the same password on any other site, you should change those passwords immediately.

Hackers will often take a single stolen ID/password and try it on every single service they can find, from Facebook, to Netflix, to banks. They count on people being lazy and re-using the same ID and password on multiple sites.

You should never use the same password on multiple web sites.

All well and good but I received notice through this feature that 367 passwords have been leaked. This represents a lot of work to fix obviously. The language used about the "leak(s)" is generic. Shouldn't I also be hearing from the sites themselves? How serious is this?

I changed my Apple password on 9/18 and that’s the only one I changed at the moment because it said I had 266 of my passwords have been completed. So that’s a ton of work so I just changed my Apple pw. It has already been compromised again! How when that’s the only new password I’ve used and I haven’t used it for anything else?

Interesting. So even though it's Apple who is telling me about the leaks, you're saying I have to take the odds that not one of the 367 sites that Apple's told me I have a problem with will tell me independently that I've got a problem. I'm sorry. Can't do that.

There's got to be an easier way to change all your passwords that might have a leak. When I click on the arrow saying to reset the password why doesn't iPhone generate a password for me? This whole thing with passwords sucks! Once again there has got to be an easier, faster and more secure way to do this!

How serious is this?

Impossible question to answer.

How lucky do you feel?

The iPhone will generate a password for you if you enable Keychain—>Set up iCloud Keychain - Apple Support.

message that ALL my passwords were breached possibly. 164 of them. What do I do?

You ignore the scam.