"This password has appeared in a data leak" notice on iPhone

IamMrZ wrote:

I have just received this notification too. From the date I started recent accounts across different services it is very obvious that the data leak can only have come from Google, Apple or Microsoft or a combination of all three.

WRONG. Leaked passwords have not come from Google, Apple or Microsoft. They have come from hundreds of businesses and sites that have been hacked over the past few years. Like Equifax, Marriott, Zynga, and hundreds of others.

I went into settings then passwords..saw which ones had data leak and just changed every password individually on each site..

I use unique passwords on all sites and have had this warning for several sites that use 5 or 6 figure number PIN's as their password (which are all different by the way).

Does this mean that:

1. it has actually identified the website with my account username and password combo has been leaked, or
2. just that these 5 or 6 figure number PIN's have been found on a compromised list for "someone"?

Clearly 1 causes me great concern but 2 would seem reasonable, in that there will be numerous people worldwide that would randomly choose the same 5 figure number, of which some poor sole has had their data breached.

i bought an iphone 8 plus on ebay and right when i was signing in to all my accounts that i used before it always says its been in a data leak, i want to know if this is from me buying an iphone from ebay or if its just like those scam phone calls you get when they ask for your credit card information.

an example of one of the passwords that has been “leaked.” i just want to know if i have to change all my passwords, even my apple id.

I have a similar scenario, receiving a notification on my iPhone that approx 80 of my username/passwords are the subject of a data breach. However many of my passwords on this notification are different. Ie, not the same password across all sites. I often use a similar password but with different letters or numbers at the end.

Some of these notifications even related to my wife's email addresses and passwords, and one was my sons school log-on with different passwords.

So how can it be that all these websites have suffered data breach at the same time??

I can understand the concept of, say, a retailers website getting hacked and suffering a data breach that contains a list of all its customers including my email and password. And I get that as a precaution Apple may notify me about a potential breach for any other websites where I may have the same email & password combination. But why would I be notified of many other passwords being at risk? Is it because they may contain 'part' of the same password? But that still doesn't explain the notifications relating to my wife and sons passwords which are nothing like mine.

Its almost as if Apples whole key chain password app in my iPhone has been compromised and its spat out all the ones that don't contain a 18 key encryption.

I'm slowly working through them all again and changing them.

Thanks

Well I used the link https://havibeenpwned.com/ and put in the email address that Apple stated had appeared in a data leak and the results were Good news no pwnage found! I had not altered that email address password either.

It’s an educated guess based on the fact that it actually found your password somewhere; they didn’t make this up. There are many cybersecurity trackers, and they scan the dark web for credentials that are offered for sale. They don’t all hit the same sites. Apple has close relationships with several of the better ones, partly because they pay huge bounties to security researchers who report vulnerabilities in Apple software (which Apple then fixes). This year they have paid almost $500,000 in bounties for reports of potential risks, most of which were discovered before hackers discovered them.

If you are interested in reading about the Internet underworld (the dark web) a good place to start is https://krebsonsecurity.com. Brian Krebs has written books about the subject in addition to his blog posts, many of which are about stolen personal information.

So it appears that Apple is only reporting passwords that have been found in a dictionary of leaked passwords. This does not necessarily mean that your exact email/password combo has been leaked, nor linked to a specific website. Whereas haveibeenpwned generally reports actual database leaks of your information. Can anyone confirm this?

Tlenny71 wrote:

What answer did you receive? So I need to reset ever single password as the data leak message is coming up on all of them?

You can read the answers for yourself in this thread.

Yes, if all of your passwords are saying they may have been compromised, you should change them. But no one will force you to do so.

Tlenny71 wrote:

What answer did you receive? So I need to reset ever single password as the data leak message is coming up on all of them?

You don’t have to; only if you don’t want the accounts where you used those passwords hacked into. If any are financial institutions or government agencies it would be foolish not to change the passwords.

I’ve checked and the passwords that Apple flagged, and those had been in dumps of my accounts from else-network. In years past, I did re-use some of what I considered throw-away passwords. Anyway, you do you, of course.

As for hashes, there are two sorts in common use. Digest hashes, which are fast to calculate, but slow to generate collisions (matching hashes), and password hashes, which are intentionally slow to calculate, and slow to generate collisions. The former are unfortunately sometimes misused for passwords. The latter are designed to be resource-intensive for memory and difficult to parallelize, and expensive to implement in hardware.

Brute-forcing passwords is certainly possible, with better password hashes and longer and more robust passwords pushing that brute-forcing into decades or centuries with current hardware.

Brute-forcing involves first trying previously-used passwords (which is what Apple is flagging, here), then trying widely-used passwords, then trying variations of those, then trying every password. The lattermost effort takes a very long time with algorithms such as PBKDF2 and bcrypt, and rather less time with a password store that chose a (quicker-to-calculate) message digest hash.

That’s true, and anyone who uses such a password deserves what they get. I hope that is very few people.

But what you are missing is that the databases of hacked accounts have both the user ID and matching password, so if your login is janedoe@xyzzy.com, your password is qwerty and your account is with equifax (or any other site, like your bank, the IRS, Social Security, etc) whoever wants to hack your account on equifax has your login AND your password. And also your social security number, your address, your phone number, credit card numbers, your mother’s maiden name and lots of other personal stuff (because when Equifax was hacked all of that information was in their database). So even if you change your password they know enough about you to call equifax, pretend they are you (because they know all your details) and get your password changed. Unless you have 2 factor authentication on your account.

And even that isn’t a guarantee if hacking you is worth enough to them, because they can do a SIM swap and intercept your text messages. SIM swaps are risky enough so they are unlikely to do it for the average person, but there was a front page story in several papers yesterday about someone whose Coinbase account was hacked and $100,000 was taken from their bitcoin account, using a SIM swap.

MrHoffman wrote:

Here’s how this mess starts: some service gets breached. There are lots and lots of service breaches, too. Say that you have an account on that service. Or you have accounts on a hundred or two different services. Most of us have increasing numbers of these accounts, too.

From experience, I'd like to emphasize that just because one's password is easily guessed or someone also has created the same password, say from an application that generates "random" passwords than that password will appear inside Apple's database. It doesn't mean that you specifically have been breached, but Apple's messaging is just that.

If in doubt, use another service to verify IF in fact your password has been breached. If it has, change it. Don't let this fearmongering on the part of Apple leave you insecure. I take their warning with a grain of salt.

jarkko274 wrote:

“Credentials pairs—account and password—that are breached are listed as breached. And listed as serious.”

Nope. It is enough, that that the certain _password_ has appeared in a database of breached password.

if username Bob has password “qwerty” in a site A and username Alice has password “qwerty “in site B and site B gets hacked, Bob will get warning “This password has appeared in a data leak” although Bob’s username/password pair is not hacked in a different site.

If a password you use has been used by someone else, considering that there are trillions and more of possible passwords, it’s a weak password and that’s reason enough to change it. Even just 8 character passwords have 6x10^14 or 600 trillion possible combinations. How likely is any “good” password going to be the same as someone else’s password?

Currently Apple is telling me two of my passwords have been compromised but haveibeenpwned says they're fine. So what database is Apple using ?