"This password has appeared in a data leak" notice on iPhone

I have a similar scenario, receiving a notification on my iPhone that approx 80 of my username/passwords are the subject of a data breach. However many of my passwords on this notification are different. Ie, not the same password across all sites. I often use a similar password but with different letters or numbers at the end.

Some of these notifications even related to my wife's email addresses and passwords, and one was my sons school log-on with different passwords.

So how can it be that all these websites have suffered data breach at the same time??

I can understand the concept of, say, a retailers website getting hacked and suffering a data breach that contains a list of all its customers including my email and password. And I get that as a precaution Apple may notify me about a potential breach for any other websites where I may have the same email & password combination. But why would I be notified of many other passwords being at risk? Is it because they may contain 'part' of the same password? But that still doesn't explain the notifications relating to my wife and sons passwords which are nothing like mine.

Its almost as if Apples whole key chain password app in my iPhone has been compromised and its spat out all the ones that don't contain a 18 key encryption.

I'm slowly working through them all again and changing them.

Thanks

i bought an iphone 8 plus on ebay and right when i was signing in to all my accounts that i used before it always says its been in a data leak, i want to know if this is from me buying an iphone from ebay or if its just like those scam phone calls you get when they ask for your credit card information.

an example of one of the passwords that has been “leaked.” i just want to know if i have to change all my passwords, even my apple id.

I use unique passwords on all sites and have had this warning for several sites that use 5 or 6 figure number PIN's as their password (which are all different by the way).

Does this mean that:

1. it has actually identified the website with my account username and password combo has been leaked, or
2. just that these 5 or 6 figure number PIN's have been found on a compromised list for "someone"?

Clearly 1 causes me great concern but 2 would seem reasonable, in that there will be numerous people worldwide that would randomly choose the same 5 figure number, of which some poor sole has had their data breached.

So you are advocating NOT changing a password that has been leaked?

Hey guys i got the same message so i clicked on it and it took me to the page with all leaked sites. I was gonna change all my passwords later so i turned my phone off. But now i can’t find the page again to change my password. Do y’all know where it is?

Okay, here’s how this scheme works. Some service gets breached. There are lots and lots of service breaches, too.

Every password associated with each account listed in that and in every other breach is then tried on every other service.

Continuously.

Forever.

Re-use a password, and some miscreant will now have access to that service, and whatever additional access can be gained from there. Access ro an Apple,ID (and particularly one without two-factor enabled) is a Bad Day for the account holder, too.

Put differently... Duplicate passwords will get found, just as soon as there’s one been included in a server breach.

And if Apple is reporting this diagnostic, then the password is known to be associated with the account. Bad Day.

As for determining the number of breaches thar an email address has been found, see

https://haveibeenpwned.com/

Further reading over there will provide further background, too.

Resetting the phone is not necessary. Unique passwords are strongly suggested. Two-factor on important accounts such as your Apple ID, too.

I was informed by Apple that all my passwords were part of a data leak. I don’t use my Apple password for anything except for Apple which means that they had the data leak. They are also telling me that every other password I have was leaked so they leaked all of my passwords?! What the heck happened?!

No, the warning is not a scam. Here is a lengthy explanation of how the leaked password warning is generated→Password Monitoring - Apple Support

To summarize, the leaked password list that is used for the leaked password warning came from hundreds of sites that have been hacked over the past several years (remember Equifax, that had 150 million accounts stolen, or Marriott that had over 200 million?), and the passwords have been found for sale on the dark web. There’s also a site where you can check your passwords and user IDs to see if they are on compromised password lists→https://haveibeenpwned.com. Google also has access to leaked password lists, and if you store passwords with Chrome those will be checked against these lists also.

This link describes how other warnings (weak password, reused passwords) work→Password security recommendations - Apple Support

You will never find the culprit.

Look at the news, many websites and companies are breached.

Many of them don't follow best practices of security by salting and hashing passwords.

It is estimated that 15 billion passwords are available to buy on the dark web.

Your best bet is to use a password generator to create a unique password for each and every website.

iOS has one built in, keychain:

https://support.apple.com/guide/iphone/automatically-fill-in-strong-passwords-iphf9219d8c9/ios

You can also use a service such as 1password or lastpass.

This is the million dollar question no one else is asking. How does Apple know?

What’s going on - everyday I seem to be getting this message even after I-have updated my password.

I go into FB and I find my account is active 90 miles away - do a security check with FB nothing wrong but apple keeps saying password leaked-

But to keep passwords for every websites is insane. How can we remember those passwords? If this is the solution then it sucks. Normal people can't remember each and every password (now you will tell that you don't have to remember the password but instead your phone or computer will do it. Unfortunately, Life is not that simple.

Cyber researchers have to work more hard on solving this problem.

tutu786 wrote:

But to keep passwords for every websites is insane.

No, it is not only sane, it is the ONLY way to stay relatively safe. If you use the same password for multiple sites it pretty much guarantees that you will be hacked. Use a password vault app so you don’t have to remember any of them. If you use only Apple products the built in Keychain will do nicely. But all major web browsers also have the ability to save your passwords, including Firefox, Safari, Opera, Chrome, etc. And there are quite a few 3rd party password vaults; here are some (not a complete list):

• 1password (generally considered the best)
• lastpass
• SplashID safe
• Dropbox Passwords

All of these work the same way. They store your passwords using strong encryption, and you only have to remember one password for the app itself to find any password and have it entered automatically into the website or app.

For implementation details, see:

https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf#page132

On iOS and iPadOS, see: Settings > Passwords > Security Recommendations

On macOS, it’s hidden in Safari > Preferences > Passwords

If you’re getting notifications, one or more of your passwords may well be headed for trouble,

haveibeenpwned contacts multiple famous services such as wattpad and mathway, etc to see if they have been exposed to hackers and accounts have been sold or leaked, and might also confirm that your email or phone-number is part of that list.

This methodology has some limitations however, as it relies on companies actually admitting and giving a record of emails stating that they have been hacked.

Contrastingly Apple's Keychain services use a different method. Like many VPN services like NordVPN, Keychain actually references many deep web links to compromised accounts and immediately contacts the owner. Quote:

"To verify whether a password not present in the local list is a match involves some interaction with Apple servers. To help ensure that legitimate users’ passwords aren’t sent to Apple, a form of cryptographic private set intersection is deployed that compares the users’ passwords against a large set of leaked passwords. This is designed to ensure that for passwords less at risk of breach, little information is shared with Apple. For a user’s password, this information is limited to a 15-bit prefix of a cryptographic hash. The removal of the most frequently leaked passwords from this interactive process, using the local list of most commonly leaked passwords, reduces the delta in relative frequency of passwords in the web services buckets, making it impractical to infer user passwords from these lookups."

(in short cutting through the bull-**** (excuse the french)) and is way faster and more secure of a system. Heres a link to apples website that explains it sort of well: Password Monitoring

Hope this helps!

Royce