"This password has appeared in a data leak" notice on iPhone

Have you got any basis for that assertion, that apple has access to lists other websites don't ? that Apple's list is larger ? Or are you just guessing. If you are right it is astonishingly anti-social of Apple not to share their lists with havibeenpwned - they're saying you can only find out if your password is compromised by buying one of their products.

I changed one of my supposedly compromised passwords to something unique and it still said it had appeared in a data leak. My guess is it is a bug in their system.

Well I used the link https://havibeenpwned.com/ and put in the email address that Apple stated had appeared in a data leak and the results were Good news no pwnage found! I had not altered that email address password either.

It’s an educated guess based on the fact that it actually found your password somewhere; they didn’t make this up. There are many cybersecurity trackers, and they scan the dark web for credentials that are offered for sale. They don’t all hit the same sites. Apple has close relationships with several of the better ones, partly because they pay huge bounties to security researchers who report vulnerabilities in Apple software (which Apple then fixes). This year they have paid almost $500,000 in bounties for reports of potential risks, most of which were discovered before hackers discovered them.

If you are interested in reading about the Internet underworld (the dark web) a good place to start is https://krebsonsecurity.com. Brian Krebs has written books about the subject in addition to his blog posts, many of which are about stolen personal information.

Fully agree -According to Apple I have 221 date leaks. I check via haveibeenpwnd and I have 11.

I go onto my my iPad and check my facebook and it states it is active at a town 100 kms away and have not been to that town for 30 years- do a security check with Facebook and haveibeenpwned - the FB Page has not been noted as a leak - so don't know who to trust!

Funnily enough I just ran in to this issue this morning. I was logging in to the management console of a switch on a hardened network that has no access to the internet. Local wifi access to the switch and it is a 24 random character password and is only used on this specific switch. haveibeenpwned lists it as good. I’m more inclined to believe that ios just doesn’t like the fact that the password is more than a year old.. Even then, I’m not too worried about it because they would first have to gain access to my server room and get on the local network to access the switch and THEN figure out what the 20 character username is..

One other odd thing is they warn me about one of my passwords because it contains a common word, fair enough, but the “common word” they show is part of the password that contains two special characters so it’s not a word at all.

dpowre wrote:

So it appears that Apple is only reporting passwords that have been found in a dictionary of leaked passwords. This does not necessarily mean that your exact email/password combo has been leaked, nor linked to a specific website.

This is my interpretaion of the messages, which for me do not say that the username/password pair have been leaked only the password.

If this is the case then saying that your account may be compromised seems incorrect if a hacker does not have access to an associated email address or username for a particular site/service.

Are there specific messages that indicate both email/username and password have been found - that would be worrying but simply having one of your passwords in a huge dictionary of known passwords would be far less risky, though clearly hackers could attempt simplified 'brute force' attacks using a dictionary of common passwords used worldwide.

Thanks - would you agree the iOS 14 alerts are confusing in only mentioning the password then?

Fortunately those that appear for me have additional precautions such as texted phone codes, but it's all rather disconcerting if the site owners (some credit cards) haven't figured out their login data has been compromised!

Tlenny71 wrote:

What answer did you receive? So I need to reset ever single password as the data leak message is coming up on all of them?

You can read the answers for yourself in this thread.

Yes, if all of your passwords are saying they may have been compromised, you should change them. But no one will force you to do so.

Tlenny71 wrote:

What answer did you receive? So I need to reset ever single password as the data leak message is coming up on all of them?

You don’t have to; only if you don’t want the accounts where you used those passwords hacked into. If any are financial institutions or government agencies it would be foolish not to change the passwords.

Well. If 1password, Bitwarden, and Google don't flag my password, guess what I'm assuming? It's a false positive. Sure, you can change tour password but if it's an iTunes account it's usually a RPIA to manually enter it those stupid times Apple won't let you use their own password auto fill.

Thanks Lawrence followed your advice and according to Apple 220 detected and majority of leaks were associated with Gmail.

Then using https://haveibeenpwned.com/

their results were 11 associated with a iPrimus account (my mail account ) and none detected in my gmail account.

looking at the leaks they were a few years old and do not use those websites

I have changed some of the password but the apple results has not updated so my thoughts are there are issues with the Apple App and I am going to rely on https://haveibeenpwned.com/

cheers

You also should be mindful that we don't know what haveibeenpwned does with the passwords or email addresses you enter to check. Is the search performed on RAM servers or is there a log? If it's the latter, everyone who has done a search on their site is at risk. Just saying.

Just a reminder. The Apple warning may be a false positive. As a few others have chimed in, Apple support says the same and they just want you to change your password. They're inciting fear which is a terrible thing. But it's ok. Insurrection and incitement is perfectly acceptable in the West.

Also, anytime you enter your password online to sites which check for password breaches, you're opening up yourself to being compromised. I suggest after you do this, you change your password anyway.

And to the Apple missionaries and activists, Apple is playing you if you believe they genuinely care about our privacy. They may care more than Huawei or Google, but they still can't be trusted completely. They don't have their own special forces unit or exclusive database that checks your password for breaches. They use what everyone else does.

The miscreants will use any password found associated with an email address, and will then try those combinations ~everywhere.

Apple’s re-used password lists do correct themselves, though I’ve found stale password entries in the keychain can need to be located and manually removed after the active password keychain entry is updated—as website logins have moved around with some services, I’ve accrued stale entries, and those still get flagged. Just cleaned up several associated with the old and now-retired Apple login servers, and have more still to clean.

The duplicate-password display in macOS Safari is easier to use, when cleaning up stale and duplicate passwords.

I’d tend to expect that Apple uses their own password servers and data collection, possibly proxying into haveibeenpwned or other services. Apple generates a lot of network traffic, and even light traffic from a billion devices would bury many online network services.