"This password has appeared in a data leak" notice on iPhone

No, the problem is not with Apple. Apple is simply the messenger, telling you that a password (or passwords) that you have used have been found in published lists of passwords that have been stolen from various online sites. There are databases that are built by cybersecurity companies going to the dark web and seeing what stolen information is offered for sale by various criminal enterprises. Google offers a similar feature in Chrome, and the site https://haveibeenpwned.com can also tell you if a password that you use has been found in login information stolen from other sites.

If you want to learn about the hundreds of sites that have been hacked (many of which you probably use) Brian Krebs reports on the latest ones: https://krebsonsecurity.com. Some of the largest include Equifax, Marriott Hotels, the US Government’s personnel management agency, and many chain restaurants. And the most recent is almost all sites worldwide that use Microsoft Exchange.

Applehelp0001 wrote:

Hello Stulynn1000 - could you help update me how you resolved this, I've had exactly the same breach - same scenario and have been very worried whether my keychain has been hacked, rather than the leaks on the third party sites. It's too coincidental that as many (65+ breaches in my case), have been involved in a breach all simultaneously AND the passwords are not the same. Many thanks!

Your Keychain is fine.

Update your passwords.

Use robust and unique passwords.

Here’s how this mess starts: some service gets breached. There are lots and lots of service breaches, too. Say that you have an account on that service. Or you have accounts on a hundred or two different services. Most of us have increasing numbers of these accounts, too.

When those services are breached, every password associated with each account listed in that and in every other breach is then tried on every other service. Continuously. Forever.

Re-use a password exposed in that or some other breach, and some miscreant will now have access to that service, and whatever additional access can be gained from there. Access to an Apple ID (and particularly one without two-factor enabled) is a Bad Day for the account holder, too.

Put differently... Duplicate passwords will get found, just as soon as there’s one been included in a server breach.

And if Apple is reporting this diagnostic, then the password is known to be associated with the account. Bad Day.

As for determining the number of breaches thar an email address has been found, see here:

https://haveibeenpwned.com/

Further reading over there will provide further background, too.

What to do? Unique and robust passwords are strongly suggested. Enable two-factor on important accounts such as your Apple ID, too. And if it’s been re-used or otherwise exposed, change your Apple ID password. Same for your device passcode, if that’s become known.

The million dollar question has been asked and answered many times in the thread that you didn’t bother to read before posting. But there’s no harm in repeating the answer yet again. Cybersecurity specialists visit “dark web” forums where criminals hang out to buy and sell stolen credentials and other data, such as user IDs, passwords, names, addresses, credit card numbers, social security numbers, and virtually any data that any compromised website has stored about you. Facebook, for example. Or Equifax, the credit bureau who had 140 million complete accounts stolen a few years ago. But hundreds of websites have been hacked into over the past few years, not just these big ones. ParkMobile, for example was just hacked and data from 21 million accounts were stolen. The cybersecurity investigators publish lists of the compromised user IDs and passwords (but not the other stolen data), and just about anyone can subscribe to these lists. Apple does, and so does Google. So when you use a password on an iPhone, iPad, Mac, or other Apple product Apple checks to see if the password is on the list they subscribe to. Similarly, if you use a password on any Google service Google can check it.

There’s also a public website where you can check your passwords and user IDs to see if the have been compromised. Go to https://haveibeenpwned.com and you can enter your user ID, or click on Passwords and enter a password to see if it has been found on the dark web. BTW, while it says email or phone number, you can also enter a non-email type of user ID and it will check it.

Silverjoystix wrote:

This is the million dollar question no one else is asking. How does Apple know?

Okay, here’s how this scheme works. Some service gets breached. There are lots and lots of service breaches, too.

Every password associated with each account listed in that and in every other breach is then tried on every other service.

Continuously.

Forever.

Re-use a password, and some miscreant will now have access to that service, and whatever additional access can be gained from there. Access ro an Apple,ID (and particularly one without two-factor enabled) is a Bad Day for the account holder, too.

Put differently... Duplicate passwords will get found, just as soon as there’s one been included in a server breach.

And if Apple is reporting this diagnostic, then the password is known to be associated with the account. Bad Day.

As for determining the number of breaches thar an email address has been found, see

https://haveibeenpwned.com/

Further reading over there will provide further background, too.

Resetting the phone is not necessary. Unique passwords are strongly suggested. Two-factor on important accounts such as your Apple ID, too.

Okay, here’s how this scheme works. Some service gets breached. There are lots and lots of service breaches, too.

Every password associated with each account listed in that and in every other breach is then tried on every other service.

Continuously.

Forever.

Re-use a password, and some miscreant will now have access to that service, and whatever additional access can be gained from there. Access ro an Apple,ID (and particularly one without two-factor enabled) is a Bad Day for the account holder, too.

Put differently... Duplicate passwords will get found, just as soon as there’s one been included in a server breach.

And if Apple is reporting this diagnostic, then the password is known to be associated with the account. Bad Day.

As for determining the number of breaches thar an email address has been found, see

https://haveibeenpwned.com/

Further reading over there will provide further background, too.

Resetting the phone is not necessary. Unique passwords are strongly suggested. Two-factor on important accounts such as your Apple ID, too.

No, the warning is not a scam. Here is a lengthy explanation of how the leaked password warning is generated→Password Monitoring - Apple Support

To summarize, the leaked password list that is used for the leaked password warning came from hundreds of sites that have been hacked over the past several years (remember Equifax, that had 150 million accounts stolen, or Marriott that had over 200 million?), and the passwords have been found for sale on the dark web. There’s also a site where you can check your passwords and user IDs to see if they are on compromised password lists→https://haveibeenpwned.com. Google also has access to leaked password lists, and if you store passwords with Chrome those will be checked against these lists also.

This link describes how other warnings (weak password, reused passwords) work→Password security recommendations - Apple Support

For implementation details, see:

https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf#page132

On iOS and iPadOS, see: Settings > Passwords > Security Recommendations

On macOS, it’s hidden in Safari > Preferences > Passwords

If you’re getting notifications, one or more of your passwords may well be headed for trouble,

dimych28 wrote:

I’ve had this problem ever since updating to iOS 14.4. Different logins, different passwords, every time I login with Apple stored password this message pops up. It seems that the problem is not with an individual logins but with Apple, either with their settings for password storage, or a leak from iCloud that Apple hasn’t yet disclosed.

Apple provides a list of the weak or re-used or breached passwords in Settings > Passwords > Password Recommendations.

Work through that list resolving the problematic passwords, either switching to different passwords, or to generated passwords if you’re using Keychain or another password manager.

If you’d like to know where you’ve leaked passwords and the following breach information acquired from a different source, you can enter your email address into https://haveibeenpwned.com/

jarkko274 wrote:

My point was, that when you get the "This password has appeared in a data leak" warning, it only means, what it literally says. Password has appeared in a data leak. It does not necessarily mean that _your_ username/password combination has appeared in a data leak. If you have a common password, it will very probably appear in some data leak, because some other user has used it.

AFAIK, that’s incorrect. If the password is listed as having been included in a data leak, it’s a password pair that’s been breached.

A weak password—one that’s been used often enough in enough other leaks for enough other accounts to become considered a weak password—is flagged as a weak password. That is, it’s a poor password choice, but not a leaked pair.

In any case, this thread will continue to be discussions about weak passwords, re-used passwords, and folks including myself that have had password pairs that have appeared in breaches.

The service linked earlier will show cases where the pairs have leaked: https://haveibeenpwned.com — these are the larger risk, particularly for those of us that have then re-used the pair.

What internal and/or external password services Apple might use for their detection is not documented.

jarkko274 wrote:

Of course. But if username Bob has password “qwerty” in a site A and username Alice has password “qwerty “in site B and site B gets hacked, Bob will get warning “This password has appeared in a data leak” although Bob’s username/password pair is not hacked.

Based on the tags shown in the password recommendations, that appears to be incorrect.

Apple refers to the commonly-used passwords as being “easily guessed”. When these cases do occur, these “easily guessed” passwords are listed in the password report available on iPhone and iPad, with an indication that the password is not a robust choice. This is seemingly what you are referring to above with “qwerty” or similarly common password selections such as “password” or “123456” or such.

Apple detects and flags other of our problem passwords as being “reused passwords”. Which can quickly turn into a larger problem.

The most critical password problems are what Apple lists as “this password has appeared in a data leak”. These are breached credential pairs; cases where your email address or your account name and your password are associated together and are known to others. This is a password problem just waiting for the first botnet to try that credentials pair elsewhere. Which is commonly happening, and Apple IDs can be or are valuable targets.

The “easily guessed” and the re-used passwords are of somewhat lower risk, with those becoming a more serious problem if (when?) those credentials are leaked somewhere.

Per Apple, iPhone also securely monitors your passwords and alerts you if they appear in known data leaks. If you don’t want iPhone to perform this monitoring, go to Settings > Passwords > Security Recommendations, then turn off Detect Compromised Passwords.

I’d encourage leaving this password-detection setting enabled, and resolving weak passwords and re-used passwords as reasonably feasible, and resolving breached passwords immediately.

Confused_Canuck wrote:

MrHoffman wrote:

Here’s how this mess starts: some service gets breached. There are lots and lots of service breaches, too. Say that you have an account on that service. Or you have accounts on a hundred or two different services. Most of us have increasing numbers of these accounts, too.

From experience, I'd like to emphasize that just because one's password is easily guessed or someone also has created the same password, say from an application that generates "random" passwords than that password will appear inside Apple's database. It doesn't mean that you specifically have been breached, but Apple's messaging is just that.

If in doubt, use another service to verify IF in fact your password has been breached. If it has, change it. Don't let this fearmongering on the part of Apple leave you insecure. I take their warning with a grain of salt.

I fail to see what benefit a “second opinion” might offer here of benefit, over changing a password.

And passwords that are easily guessed are listed as such. And are listed as less serious issues.

Credentials pairs—account and password—that are breached are listed as breached. And listed as serious.

As for breached passwords? Change those. This particularly given the effort of the password change as compared with the effort and the mess created when an exposed password is misused.

And as you quite correctly state, different breach-listing services can have different data from different breaches.

Which means the proper determination here is a lack of matching breach data across all password-breach services, and not across those password-breach services with the particular answer that we might prefer. I’d rather assume breach than not.

If you don’t want to change your passwords, don’t.

If you don’t want password breach notifications, disable that feature.

But shopping for an answer? That seems... risky. Apple has a pretty big deployment and a pretty big network, after all. And a view into which accounts and password pairs have been exposed. And hazardous.

It has nothing to do with your buying a phone from eBay. iOS 14 checks passwords that you enter against a published list of compromised passwords that have been found in data leaks. You can check them yourself at https://haveibeenpwned.com and tapping on Passwords.

The greatest risk is if you use the same password on multiple sites, and/or you don’t use strong passwords (meaning at least 8, and preferably 12 character passwords that don’t any personally identifiable information).

Your best bet is to check *******. It will show you the hashes of the passwords leaked from your email/username, so you can easily check exactly what was leaked and where it was leaked form. I see some other answers mentioning https://haveibeenpwned.com which I would also consider.

[Link Edited by Moderator]

Well, you can go to https://haveibeenpwned.com and it will tell you the specific site that was compromised that your password came from. That information should go into your decision process.

haveibeenpwned contacts multiple famous services such as wattpad and mathway, etc to see if they have been exposed to hackers and accounts have been sold or leaked, and might also confirm that your email or phone-number is part of that list.

This methodology has some limitations however, as it relies on companies actually admitting and giving a record of emails stating that they have been hacked.

Contrastingly Apple's Keychain services use a different method. Like many VPN services like NordVPN, Keychain actually references many deep web links to compromised accounts and immediately contacts the owner. Quote:

"To verify whether a password not present in the local list is a match involves some interaction with Apple servers. To help ensure that legitimate users’ passwords aren’t sent to Apple, a form of cryptographic private set intersection is deployed that compares the users’ passwords against a large set of leaked passwords. This is designed to ensure that for passwords less at risk of breach, little information is shared with Apple. For a user’s password, this information is limited to a 15-bit prefix of a cryptographic hash. The removal of the most frequently leaked passwords from this interactive process, using the local list of most commonly leaked passwords, reduces the delta in relative frequency of passwords in the web services buckets, making it impractical to infer user passwords from these lookups."

(in short cutting through the bull-**** (excuse the french)) and is way faster and more secure of a system. Heres a link to apples website that explains it sort of well: Password Monitoring

Hope this helps!

Royce