"This password has appeared in a data leak" notice on iPhone

Sorry, I did not mean to offend you.

I checked different security websites. There is discrepancy between Apple data and publicly available data. Apple should be more transparent and needs to be consistent.

I did not mean to kill the messenger 😉

I came here to look for an answer as this is a very serious issue. And luckily, I found my answer.

But if I still had questions regarding this thread, I wouldn’t dare ask. A couple of higher level ladies/gentlemen gave informative, teaching answers with references and I thank you.

So I am assuming this is the result of the latest security updates. Thank you again.

Apple has access to lists of passwords that have been compromised in data leaks from web sites and e-commerce providers. If you are seeing that message it means your password is on one of the those lists. There are also public lists that you can check, most notably https://havibeenpwned.com where you can check yourself. However, Apple’s list is larger than that one.

Have you got any basis for that assertion, that apple has access to lists other websites don't ? that Apple's list is larger ? Or are you just guessing. If you are right it is astonishingly anti-social of Apple not to share their lists with havibeenpwned - they're saying you can only find out if your password is compromised by buying one of their products.

I changed one of my supposedly compromised passwords to something unique and it still said it had appeared in a data leak. My guess is it is a bug in their system.

Well I used the link https://havibeenpwned.com/ and put in the email address that Apple stated had appeared in a data leak and the results were Good news no pwnage found! I had not altered that email address password either.

It’s an educated guess based on the fact that it actually found your password somewhere; they didn’t make this up. There are many cybersecurity trackers, and they scan the dark web for credentials that are offered for sale. They don’t all hit the same sites. Apple has close relationships with several of the better ones, partly because they pay huge bounties to security researchers who report vulnerabilities in Apple software (which Apple then fixes). This year they have paid almost $500,000 in bounties for reports of potential risks, most of which were discovered before hackers discovered them.

If you are interested in reading about the Internet underworld (the dark web) a good place to start is https://krebsonsecurity.com. Brian Krebs has written books about the subject in addition to his blog posts, many of which are about stolen personal information.

Funnily enough I just ran in to this issue this morning. I was logging in to the management console of a switch on a hardened network that has no access to the internet. Local wifi access to the switch and it is a 24 random character password and is only used on this specific switch. haveibeenpwned lists it as good. I’m more inclined to believe that ios just doesn’t like the fact that the password is more than a year old.. Even then, I’m not too worried about it because they would first have to gain access to my server room and get on the local network to access the switch and THEN figure out what the 20 character username is..

One other odd thing is they warn me about one of my passwords because it contains a common word, fair enough, but the “common word” they show is part of the password that contains two special characters so it’s not a word at all.

dpowre wrote:

So it appears that Apple is only reporting passwords that have been found in a dictionary of leaked passwords. This does not necessarily mean that your exact email/password combo has been leaked, nor linked to a specific website.

This is my interpretaion of the messages, which for me do not say that the username/password pair have been leaked only the password.

If this is the case then saying that your account may be compromised seems incorrect if a hacker does not have access to an associated email address or username for a particular site/service.

Are there specific messages that indicate both email/username and password have been found - that would be worrying but simply having one of your passwords in a huge dictionary of known passwords would be far less risky, though clearly hackers could attempt simplified 'brute force' attacks using a dictionary of common passwords used worldwide.

Thanks - would you agree the iOS 14 alerts are confusing in only mentioning the password then?

Fortunately those that appear for me have additional precautions such as texted phone codes, but it's all rather disconcerting if the site owners (some credit cards) haven't figured out their login data has been compromised!

Tlenny71 wrote:

What answer did you receive? So I need to reset ever single password as the data leak message is coming up on all of them?

You can read the answers for yourself in this thread.

Yes, if all of your passwords are saying they may have been compromised, you should change them. But no one will force you to do so.

Tlenny71 wrote:

What answer did you receive? So I need to reset ever single password as the data leak message is coming up on all of them?

You don’t have to; only if you don’t want the accounts where you used those passwords hacked into. If any are financial institutions or government agencies it would be foolish not to change the passwords.

Well. If 1password, Bitwarden, and Google don't flag my password, guess what I'm assuming? It's a false positive. Sure, you can change tour password but if it's an iTunes account it's usually a RPIA to manually enter it those stupid times Apple won't let you use their own password auto fill.

Thanks Lawrence followed your advice and according to Apple 220 detected and majority of leaks were associated with Gmail.

Then using https://haveibeenpwned.com/

their results were 11 associated with a iPrimus account (my mail account ) and none detected in my gmail account.

looking at the leaks they were a few years old and do not use those websites

I have changed some of the password but the apple results has not updated so my thoughts are there are issues with the Apple App and I am going to rely on https://haveibeenpwned.com/

cheers

You also should be mindful that we don't know what haveibeenpwned does with the passwords or email addresses you enter to check. Is the search performed on RAM servers or is there a log? If it's the latter, everyone who has done a search on their site is at risk. Just saying.