"This password has appeared in a data leak" notice on iPhone

jarkko274 wrote:

Of course. But if username Bob has password “qwerty” in a site A and username Alice has password “qwerty “in site B and site B gets hacked, Bob will get warning “This password has appeared in a data leak” although Bob’s username/password pair is not hacked.

Based on the tags shown in the password recommendations, that appears to be incorrect.

Apple refers to the commonly-used passwords as being “easily guessed”. When these cases do occur, these “easily guessed” passwords are listed in the password report available on iPhone and iPad, with an indication that the password is not a robust choice. This is seemingly what you are referring to above with “qwerty” or similarly common password selections such as “password” or “123456” or such.

Apple detects and flags other of our problem passwords as being “reused passwords”. Which can quickly turn into a larger problem.

The most critical password problems are what Apple lists as “this password has appeared in a data leak”. These are breached credential pairs; cases where your email address or your account name and your password are associated together and are known to others. This is a password problem just waiting for the first botnet to try that credentials pair elsewhere. Which is commonly happening, and Apple IDs can be or are valuable targets.

The “easily guessed” and the re-used passwords are of somewhat lower risk, with those becoming a more serious problem if (when?) those credentials are leaked somewhere.

Per Apple, iPhone also securely monitors your passwords and alerts you if they appear in known data leaks. If you don’t want iPhone to perform this monitoring, go to Settings > Passwords > Security Recommendations, then turn off Detect Compromised Passwords.

I’d encourage leaving this password-detection setting enabled, and resolving weak passwords and re-used passwords as reasonably feasible, and resolving breached passwords immediately.

It is true, that there are different warnings for commonly-used passwords and leaked passwords, but that does not prove your point :) Again, it only tells that certain password is commonly used, but not leaked. Many commonly used passwords are also leaked (since commonly used passwords are by definition used commonly) and then Bob gets warning, if Alice's password is leaked in some other site.

"So you are advocating NOT changing a password that has been leaked?"

I'm recommending changing it. I just want to explain, that if you get the "This password has appeared in a data leak", it does not necessarily mean, that your own username/password has been hacked.

If I would create username jarkko274 and password "qwerty" profile somewhere, I would immediately get the "This password has appeared in a data leak" warning, since "qwerty" has with 100 % certainty appeared in some data leak.

Hello Stulynn1000 - could you help update me how you resolved this, I've had exactly the same breach - same scenario and have been very worried whether my keychain has been hacked, rather than the leaks on the third party sites. It's too coincidental that as many (65+ breaches in my case), have been involved in a breach all simultaneously AND the passwords are not the same. Many thanks!

Applehelp0001 wrote:

Hello Stulynn1000 - could you help update me how you resolved this, I've had exactly the same breach - same scenario and have been very worried whether my keychain has been hacked, rather than the leaks on the third party sites. It's too coincidental that as many (65+ breaches in my case), have been involved in a breach all simultaneously AND the passwords are not the same. Many thanks!

Your Keychain is fine.

Update your passwords.

Use robust and unique passwords.

Here’s how this mess starts: some service gets breached. There are lots and lots of service breaches, too. Say that you have an account on that service. Or you have accounts on a hundred or two different services. Most of us have increasing numbers of these accounts, too.

When those services are breached, every password associated with each account listed in that and in every other breach is then tried on every other service. Continuously. Forever.

Re-use a password exposed in that or some other breach, and some miscreant will now have access to that service, and whatever additional access can be gained from there. Access to an Apple ID (and particularly one without two-factor enabled) is a Bad Day for the account holder, too.

Put differently... Duplicate passwords will get found, just as soon as there’s one been included in a server breach.

And if Apple is reporting this diagnostic, then the password is known to be associated with the account. Bad Day.

As for determining the number of breaches thar an email address has been found, see here:

https://haveibeenpwned.com/

Further reading over there will provide further background, too.

What to do? Unique and robust passwords are strongly suggested. Enable two-factor on important accounts such as your Apple ID, too. And if it’s been re-used or otherwise exposed, change your Apple ID password. Same for your device passcode, if that’s become known.

MrHoffman wrote:

Here’s how this mess starts: some service gets breached. There are lots and lots of service breaches, too. Say that you have an account on that service. Or you have accounts on a hundred or two different services. Most of us have increasing numbers of these accounts, too.

From experience, I'd like to emphasize that just because one's password is easily guessed or someone also has created the same password, say from an application that generates "random" passwords than that password will appear inside Apple's database. It doesn't mean that you specifically have been breached, but Apple's messaging is just that.

If in doubt, use another service to verify IF in fact your password has been breached. If it has, change it. Don't let this fearmongering on the part of Apple leave you insecure. I take their warning with a grain of salt.

If Apple says your password has been breached, that means it has appeared in a database of passwords that are for sale on the dark web and that have been collected by cybersecurity companies. This has nothing to do with passwords being easily guessed, they produce a different message, likewise for reused passwords. Even if in doubt you should change it, not just trust to luck.

The likelihood that a randomly generated password will be the same for 2 different users approaches zero. Randomly generated passwords are typically 15 or more random characters out of universe of about 70 possible characters in each position. So that means there are 70x70x70…x70 15 times, or 70^15th possible random passwords, or 5x10^27 different passwords.

Honestly, Apple adds a feature to iOS to protect its customers, and they get blamed for “fear-mongering”. As they say, no good deed goes unpunished. How does Apple benefit from telling you your data is at risk?

NOTE: Sorry for my original math error.

Confused_Canuck wrote:

MrHoffman wrote:

Here’s how this mess starts: some service gets breached. There are lots and lots of service breaches, too. Say that you have an account on that service. Or you have accounts on a hundred or two different services. Most of us have increasing numbers of these accounts, too.

From experience, I'd like to emphasize that just because one's password is easily guessed or someone also has created the same password, say from an application that generates "random" passwords than that password will appear inside Apple's database. It doesn't mean that you specifically have been breached, but Apple's messaging is just that.

If in doubt, use another service to verify IF in fact your password has been breached. If it has, change it. Don't let this fearmongering on the part of Apple leave you insecure. I take their warning with a grain of salt.

I fail to see what benefit a “second opinion” might offer here of benefit, over changing a password.

And passwords that are easily guessed are listed as such. And are listed as less serious issues.

Credentials pairs—account and password—that are breached are listed as breached. And listed as serious.

As for breached passwords? Change those. This particularly given the effort of the password change as compared with the effort and the mess created when an exposed password is misused.

And as you quite correctly state, different breach-listing services can have different data from different breaches.

Which means the proper determination here is a lack of matching breach data across all password-breach services, and not across those password-breach services with the particular answer that we might prefer. I’d rather assume breach than not.

If you don’t want to change your passwords, don’t.

If you don’t want password breach notifications, disable that feature.

But shopping for an answer? That seems... risky. Apple has a pretty big deployment and a pretty big network, after all. And a view into which accounts and password pairs have been exposed. And hazardous.

“Credentials pairs—account and password—that are breached are listed as breached. And listed as serious.”

Nope. It is enough, that that the certain _password_ has appeared in a database of breached password.

if username Bob has password “qwerty” in a site A and username Alice has password “qwerty “in site B and site B gets hacked, Bob will get warning “This password has appeared in a data leak” although Bob’s username/password pair is not hacked in a different site.

When warning says “ This password has appeared in a data leak” it means what it says.

Password has appeared in a data leak. Not necessarily your username/password combination.

jarkko274 wrote:

“Credentials pairs—account and password—that are breached are listed as breached. And listed as serious.”

Nope. It is enough, that that the certain _password_ has appeared in a database of breached password.

if username Bob has password “qwerty” in a site A and username Alice has password “qwerty “in site B and site B gets hacked, Bob will get warning “This password has appeared in a data leak” although Bob’s username/password pair is not hacked in a different site.

If a password you use has been used by someone else, considering that there are trillions and more of possible passwords, it’s a weak password and that’s reason enough to change it. Even just 8 character passwords have 6x10^14 or 600 trillion possible combinations. How likely is any “good” password going to be the same as someone else’s password?

jarkko274 wrote:

”If a password you use has been used by someone else, considering that there are trillions and more of possible passwords, it’s a weak password”

You’re right. I’m just discussing the mechanism.

You're debating a point that—even if you are correct, and of which that I doubt—the savings that you achieve here—avoiding a password change—are negligible in comparison to the risk entailed by following your advice should you be wrong about the data that Apple purports to have.

Apple specifically labels weak passwords as weak passwords. Weak. Not as breached passwords.

You have specifically decided that Apple lacks the insight and/or that Apple has bad data around what Apple specifically labels as breached credentials, and thus your conclusion here is that users should discount the data Apple purports to have, and to avoid doing what Apple specifically recommends. All to avoid changing a password that Apple specifically labels as a serious problem.

If you're right—if this is "merely" a common password that'll be easily found by hashcat or other tools—then I've saved the effort of changing a few of what you claim are mislabeled, weak passwords to better password choices. And my "weak" password will be more quickly found in the hashes, should the service associated with that password subsequently be breached. Re-use is bad, but ~all of us reuse some passwords.

If you're wrong—if Apple has found matching credentials in a breach—then I risk the effort of cleaning up after a breach right now, or just as soon as somebody crams the credentials.

I’ll change passwords flagged as breached soonest, and recommend others here do the same.

"Apple specifically labels weak passwords as weak passwords. Weak. Not as breached passwords".

Yes, and Apple also specifically says "This password has appeared in a data breach". Apple does not say "These username and password have appeared in a data breach".

Weak password is weak (i.e. short) password and password that has appeared in a data breach is a password that has appeared in a data brach. Nothing less, nothing more. Apple does not say anything about username/password pairs.

I'm not telling people, what they should do.

But I understand, that you're not going to change your opinion and you of course have the right to do so :)

So I have read nearly all the replies in here. This is not directed to you but in general as I cant really find out where to write for general comment, but:

I first got a pop-up saying the password in disney+ Was involved in a data leak. Now Ive never gotten ANY notifs before this one and first thought it was a hoax. I then discovered the password section in settings - that Id never seen or heard about before. I had 10 passwords having been compromised etc and 55 warnings. I admit I do reuse some passwords on completely random sites, and switch and change where the numbers are located in the passwords etc. BUT: I do not at all use common passwords. I use specific ones that are personal to me - and refuse to think anyone could GUESS them. I decided to change the passwords for most of the 10 compromised ones, I deleted passwords on some of the 55 on sites I dont use often - thinking Id be asked for a password / or be told I had the incorrect password (since I deleted it) and had to change it. Apparently that worked for some sites, but in others I got in without any message (on the deleted password sites) Why does that not work?

And even worse: I did change my password on my email-address (Apple / Gmail) because I figured it was smart to change the most important once.

But what happened was: TODAY I get an e-mail and sms from Microsoft (seems to be the real address) saying Microsoft Account Security Alert - saying someone might have accessed my account!

i changed the password YESTERDAY - and this is the FIRST time I ever get this message about my account in I dunno 10 years? (Ive change passwords regularly when being told I should change due to long time with the same one)

also I too have checked haveibeenpwned and Ive only got 3 notes there. Same 3 for the five years Ive checked it. I changed my password in one of those back the first time - and hardlt ever use that site. As for the other Ive deleted the app coz I never used it. Cant remember the third now.

but yeah the 10 compromised ones are on totally random accounts and a few are saw password. I also got on my sons account ....

So smth does not ring right to me!

All this: do you want to save the password?

ofc we do! We want to remember the passwords! But I feel these things might end up getting us breached and leaked in the end...

Anyway had microsfot account for I dunno 20 years (?) changed passwords regularly - never (or max once) had a breach/leak, changing for the first time in a year yesterday and boom: someone else might use my account? Excuse me but wtf?

The million dollar question has been asked and answered many times in the thread that you didn’t bother to read before posting. But there’s no harm in repeating the answer yet again. Cybersecurity specialists visit “dark web” forums where criminals hang out to buy and sell stolen credentials and other data, such as user IDs, passwords, names, addresses, credit card numbers, social security numbers, and virtually any data that any compromised website has stored about you. Facebook, for example. Or Equifax, the credit bureau who had 140 million complete accounts stolen a few years ago. But hundreds of websites have been hacked into over the past few years, not just these big ones. ParkMobile, for example was just hacked and data from 21 million accounts were stolen. The cybersecurity investigators publish lists of the compromised user IDs and passwords (but not the other stolen data), and just about anyone can subscribe to these lists. Apple does, and so does Google. So when you use a password on an iPhone, iPad, Mac, or other Apple product Apple checks to see if the password is on the list they subscribe to. Similarly, if you use a password on any Google service Google can check it.

There’s also a public website where you can check your passwords and user IDs to see if the have been compromised. Go to https://haveibeenpwned.com and you can enter your user ID, or click on Passwords and enter a password to see if it has been found on the dark web. BTW, while it says email or phone number, you can also enter a non-email type of user ID and it will check it.

Silverjoystix wrote:

This is the million dollar question no one else is asking. How does Apple know?

Okay, here’s how this scheme works. Some service gets breached. There are lots and lots of service breaches, too.

Every password associated with each account listed in that and in every other breach is then tried on every other service.

Continuously.

Forever.

Re-use a password, and some miscreant will now have access to that service, and whatever additional access can be gained from there. Access ro an Apple,ID (and particularly one without two-factor enabled) is a Bad Day for the account holder, too.

Put differently... Duplicate passwords will get found, just as soon as there’s one been included in a server breach.

And if Apple is reporting this diagnostic, then the password is known to be associated with the account. Bad Day.

As for determining the number of breaches thar an email address has been found, see

https://haveibeenpwned.com/

Further reading over there will provide further background, too.

Resetting the phone is not necessary. Unique passwords are strongly suggested. Two-factor on important accounts such as your Apple ID, too.