Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

"This password has appeared in a data leak" notice on iPhone

Is there any way to find out what website the data leak was from when getting this on my iphone settings?


I want to find the culprit for me now having to change my password used on 59 other sites



[Re-Titled by Moderator]

iPhone 11

Posted on Sep 29, 2020 9:22 AM

Reply
Question marked as Best reply

Posted on Nov 7, 2020 5:33 AM

I have a similar scenario, receiving a notification on my iPhone that approx 80 of my username/passwords are the subject of a data breach. However many of my passwords on this notification are different. Ie, not the same password across all sites. I often use a similar password but with different letters or numbers at the end.


Some of these notifications even related to my wife's email addresses and passwords, and one was my sons school log-on with different passwords.


So how can it be that all these websites have suffered data breach at the same time??


I can understand the concept of, say, a retailers website getting hacked and suffering a data breach that contains a list of all its customers including my email and password. And I get that as a precaution Apple may notify me about a potential breach for any other websites where I may have the same email & password combination. But why would I be notified of many other passwords being at risk? Is it because they may contain 'part' of the same password? But that still doesn't explain the notifications relating to my wife and sons passwords which are nothing like mine.


Its almost as if Apples whole key chain password app in my iPhone has been compromised and its spat out all the ones that don't contain a 18 key encryption.


I'm slowly working through them all again and changing them.


Thanks



133 replies

Mar 28, 2021 11:04 AM in response to Lawrence Finch

"So you are advocating NOT changing a password that has been leaked?"


I'm recommending changing it. I just want to explain, that if you get the "This password has appeared in a data leak", it does not necessarily mean, that your own username/password has been hacked.


If I would create username jarkko274 and password "qwerty" profile somewhere, I would immediately get the "This password has appeared in a data leak" warning, since "qwerty" has with 100 % certainty appeared in some data leak.


Mar 28, 2021 2:09 PM in response to Stulynn1000

Hello Stulynn1000 - could you help update me how you resolved this, I've had exactly the same breach - same scenario and have been very worried whether my keychain has been hacked, rather than the leaks on the third party sites. It's too coincidental that as many (65+ breaches in my case), have been involved in a breach all simultaneously AND the passwords are not the same. Many thanks!

Mar 28, 2021 2:17 PM in response to Applehelp0001

Applehelp0001 wrote:

Hello Stulynn1000 - could you help update me how you resolved this, I've had exactly the same breach - same scenario and have been very worried whether my keychain has been hacked, rather than the leaks on the third party sites. It's too coincidental that as many (65+ breaches in my case), have been involved in a breach all simultaneously AND the passwords are not the same. Many thanks!


Your Keychain is fine.


Update your passwords.


Use robust and unique passwords.


Here’s how this mess starts: some service gets breached. There are lots and lots of service breaches, too. Say that you have an account on that service. Or you have accounts on a hundred or two different services. Most of us have increasing numbers of these accounts, too.


When those services are breached, every password associated with each account listed in that and in every other breach is then tried on every other service. Continuously. Forever.


Re-use a password exposed in that or some other breach, and some miscreant will now have access to that service, and whatever additional access can be gained from there. Access to an Apple ID (and particularly one without two-factor enabled) is a Bad Day for the account holder, too.


Put differently... Duplicate passwords will get found, just as soon as there’s one been included in a server breach.


And if Apple is reporting this diagnostic, then the password is known to be associated with the account. Bad Day.


As for determining the number of breaches thar an email address has been found, see here:


https://haveibeenpwned.com/


Further reading over there will provide further background, too.


What to do? Unique and robust passwords are strongly suggested. Enable two-factor on important accounts such as your Apple ID, too. And if it’s been re-used or otherwise exposed, change your Apple ID password. Same for your device passcode, if that’s become known.

Mar 28, 2021 2:32 PM in response to MrHoffman

MrHoffman wrote:

Here’s how this mess starts: some service gets breached. There are lots and lots of service breaches, too. Say that you have an account on that service. Or you have accounts on a hundred or two different services. Most of us have increasing numbers of these accounts, too.

From experience, I'd like to emphasize that just because one's password is easily guessed or someone also has created the same password, say from an application that generates "random" passwords than that password will appear inside Apple's database. It doesn't mean that you specifically have been breached, but Apple's messaging is just that.


If in doubt, use another service to verify IF in fact your password has been breached. If it has, change it. Don't let this fearmongering on the part of Apple leave you insecure. I take their warning with a grain of salt.

Mar 28, 2021 2:53 PM in response to Confused_Canuck

If Apple says your password has been breached, that means it has appeared in a database of passwords that are for sale on the dark web and that have been collected by cybersecurity companies. This has nothing to do with passwords being easily guessed, they produce a different message, likewise for reused passwords. Even if in doubt you should change it, not just trust to luck.


The likelihood that a randomly generated password will be the same for 2 different users approaches zero. Randomly generated passwords are typically 15 or more random characters out of universe of about 70 possible characters in each position. So that means there are 70x70x70…x70 15 times, or 70^15th possible random passwords, or 5x10^27 different passwords.


Honestly, Apple adds a feature to iOS to protect its customers, and they get blamed for “fear-mongering”. As they say, no good deed goes unpunished. How does Apple benefit from telling you your data is at risk?


NOTE: Sorry for my original math error.

Mar 28, 2021 2:55 PM in response to Confused_Canuck

Confused_Canuck wrote:


MrHoffman wrote:

Here’s how this mess starts: some service gets breached. There are lots and lots of service breaches, too. Say that you have an account on that service. Or you have accounts on a hundred or two different services. Most of us have increasing numbers of these accounts, too.
From experience, I'd like to emphasize that just because one's password is easily guessed or someone also has created the same password, say from an application that generates "random" passwords than that password will appear inside Apple's database. It doesn't mean that you specifically have been breached, but Apple's messaging is just that.

If in doubt, use another service to verify IF in fact your password has been breached. If it has, change it. Don't let this fearmongering on the part of Apple leave you insecure. I take their warning with a grain of salt.


I fail to see what benefit a “second opinion” might offer here of benefit, over changing a password.


And passwords that are easily guessed are listed as such. And are listed as less serious issues.


Credentials pairs—account and password—that are breached are listed as breached. And listed as serious.


As for breached passwords? Change those. This particularly given the effort of the password change as compared with the effort and the mess created when an exposed password is misused.


And as you quite correctly state, different breach-listing services can have different data from different breaches.


Which means the proper determination here is a lack of matching breach data across all password-breach services, and not across those password-breach services with the particular answer that we might prefer. I’d rather assume breach than not.


If you don’t want to change your passwords, don’t.


If you don’t want password breach notifications, disable that feature.


But shopping for an answer? That seems... risky. Apple has a pretty big deployment and a pretty big network, after all. And a view into which accounts and password pairs have been exposed. And hazardous.

Mar 28, 2021 9:48 PM in response to MrHoffman

“Credentials pairs—account and password—that are breached are listed as breached. And listed as serious.”


Nope. It is enough, that that the certain _password_ has appeared in a database of breached password.


if username Bob has password “qwerty” in a site A and username Alice has password “qwerty “in site B and site B gets hacked, Bob will get warning “This password has appeared in a data leak” although Bob’s username/password pair is not hacked in a different site.


When warning says “ This password has appeared in a data leak” it means what it says.

Password has appeared in a data leak. Not necessarily your username/password combination.




Mar 29, 2021 6:58 AM in response to jarkko274

jarkko274 wrote:

“Credentials pairs—account and password—that are breached are listed as breached. And listed as serious.”

Nope. It is enough, that that the certain _password_ has appeared in a database of breached password.

if username Bob has password “qwerty” in a site A and username Alice has password “qwerty “in site B and site B gets hacked, Bob will get warning “This password has appeared in a data leak” although Bob’s username/password pair is not hacked in a different site.

If a password you use has been used by someone else, considering that there are trillions and more of possible passwords, it’s a weak password and that’s reason enough to change it. Even just 8 character passwords have 6x10^14 or 600 trillion possible combinations. How likely is any “good” password going to be the same as someone else’s password?

Mar 29, 2021 7:44 AM in response to jarkko274

jarkko274 wrote:

”If a password you use has been used by someone else, considering that there are trillions and more of possible passwords, it’s a weak password”

You’re right. I’m just discussing the mechanism.


You're debating a point that—even if you are correct, and of which that I doubt—the savings that you achieve here—avoiding a password change—are negligible in comparison to the risk entailed by following your advice should you be wrong about the data that Apple purports to have.


Apple specifically labels weak passwords as weak passwords. Weak. Not as breached passwords.


You have specifically decided that Apple lacks the insight and/or that Apple has bad data around what Apple specifically labels as breached credentials, and thus your conclusion here is that users should discount the data Apple purports to have, and to avoid doing what Apple specifically recommends. All to avoid changing a password that Apple specifically labels as a serious problem.


If you're right—if this is "merely" a common password that'll be easily found by hashcat or other tools—then I've saved the effort of changing a few of what you claim are mislabeled, weak passwords to better password choices. And my "weak" password will be more quickly found in the hashes, should the service associated with that password subsequently be breached. Re-use is bad, but ~all of us reuse some passwords.


If you're wrong—if Apple has found matching credentials in a breach—then I risk the effort of cleaning up after a breach right now, or just as soon as somebody crams the credentials.


I’ll change passwords flagged as breached soonest, and recommend others here do the same.

Mar 29, 2021 11:04 AM in response to MrHoffman

"Apple specifically labels weak passwords as weak passwords. Weak. Not as breached passwords".


Yes, and Apple also specifically says "This password has appeared in a data breach". Apple does not say "These username and password have appeared in a data breach".


Weak password is weak (i.e. short) password and password that has appeared in a data breach is a password that has appeared in a data brach. Nothing less, nothing more. Apple does not say anything about username/password pairs.


I'm not telling people, what they should do.


But I understand, that you're not going to change your opinion and you of course have the right to do so :)


Apr 9, 2021 3:26 PM in response to jarkko274

So I have read nearly all the replies in here. This is not directed to you but in general as I cant really find out where to write for general comment, but:

I first got a pop-up saying the password in disney+ Was involved in a data leak. Now Ive never gotten ANY notifs before this one and first thought it was a hoax. I then discovered the password section in settings - that Id never seen or heard about before. I had 10 passwords having been compromised etc and 55 warnings. I admit I do reuse some passwords on completely random sites, and switch and change where the numbers are located in the passwords etc. BUT: I do not at all use common passwords. I use specific ones that are personal to me - and refuse to think anyone could GUESS them. I decided to change the passwords for most of the 10 compromised ones, I deleted passwords on some of the 55 on sites I dont use often - thinking Id be asked for a password / or be told I had the incorrect password (since I deleted it) and had to change it. Apparently that worked for some sites, but in others I got in without any message (on the deleted password sites) Why does that not work?


And even worse: I did change my password on my email-address (Apple / Gmail) because I figured it was smart to change the most important once.

But what happened was: TODAY I get an e-mail and sms from Microsoft (seems to be the real address) saying Microsoft Account Security Alert - saying someone might have accessed my account!


i changed the password YESTERDAY - and this is the FIRST time I ever get this message about my account in I dunno 10 years? (Ive change passwords regularly when being told I should change due to long time with the same one)


also I too have checked haveibeenpwned and Ive only got 3 notes there. Same 3 for the five years Ive checked it. I changed my password in one of those back the first time - and hardlt ever use that site. As for the other Ive deleted the app coz I never used it. Cant remember the third now.

but yeah the 10 compromised ones are on totally random accounts and a few are saw password. I also got on my sons account ....


So smth does not ring right to me!


All this: do you want to save the password?

ofc we do! We want to remember the passwords! But I feel these things might end up getting us breached and leaked in the end...


Anyway had microsfot account for I dunno 20 years (?) changed passwords regularly - never (or max once) had a breach/leak, changing for the first time in a year yesterday and boom: someone else might use my account? Excuse me but wtf?

May 7, 2021 5:10 PM in response to Silverjoystix

The million dollar question has been asked and answered many times in the thread that you didn’t bother to read before posting. But there’s no harm in repeating the answer yet again. Cybersecurity specialists visit “dark web” forums where criminals hang out to buy and sell stolen credentials and other data, such as user IDs, passwords, names, addresses, credit card numbers, social security numbers, and virtually any data that any compromised website has stored about you. Facebook, for example. Or Equifax, the credit bureau who had 140 million complete accounts stolen a few years ago. But hundreds of websites have been hacked into over the past few years, not just these big ones. ParkMobile, for example was just hacked and data from 21 million accounts were stolen. The cybersecurity investigators publish lists of the compromised user IDs and passwords (but not the other stolen data), and just about anyone can subscribe to these lists. Apple does, and so does Google. So when you use a password on an iPhone, iPad, Mac, or other Apple product Apple checks to see if the password is on the list they subscribe to. Similarly, if you use a password on any Google service Google can check it.


There’s also a public website where you can check your passwords and user IDs to see if the have been compromised. Go to https://haveibeenpwned.com and you can enter your user ID, or click on Passwords and enter a password to see if it has been found on the dark web. BTW, while it says email or phone number, you can also enter a non-email type of user ID and it will check it.

May 8, 2021 8:31 PM in response to Silverjoystix

Silverjoystix wrote:

This is the million dollar question no one else is asking. How does Apple know?


Okay, here’s how this scheme works. Some service gets breached. There are lots and lots of service breaches, too.


Every password associated with each account listed in that and in every other breach is then tried on every other service.


Continuously.


Forever.


Re-use a password, and some miscreant will now have access to that service, and whatever additional access can be gained from there. Access ro an Apple,ID (and particularly one without two-factor enabled) is a Bad Day for the account holder, too.


Put differently... Duplicate passwords will get found, just as soon as there’s one been included in a server breach.


And if Apple is reporting this diagnostic, then the password is known to be associated with the account. Bad Day.


As for determining the number of breaches thar an email address has been found, see

https://haveibeenpwned.com/

Further reading over there will provide further background, too.


Resetting the phone is not necessary. Unique passwords are strongly suggested. Two-factor on important accounts such as your Apple ID, too.

Jul 31, 2021 5:52 PM in response to Aqellezra

I don't know whether this answer has been suggested - I didn't read the whole thread...but I'd like to suggest that perhaps the "warning" IS the scam, like some sort of MLM fiddle, where, if you use the warning itself to initiate the password updates, that's when you are actually breaching your own security and handing the scammers your passwords. If you're really concerned about it, I suggest never following the warning's link, but restarting and then going to sites that require your password directly, as you normally would, and change them then.

Otherwise, I think the "warning" is BS, and is, in fact, the danger.

"This password has appeared in a data leak" notice on iPhone

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.