"This password has appeared in a data leak" notice on iPhone

It would still be nice to know where Apple is getting their data from. Some of my passwords are popping on my iPhone, even though the associated email address has no results on haveibeenpwned. I've always used haveibeenpwned as a source of truth on leaks, and now I don't know who to trust if various sources don't agree. Hard to tell if one is missing data, or one is exaggerating it.

Fully agree -According to Apple I have 221 date leaks. I check via haveibeenpwnd and I have 11.

I go onto my my iPad and check my facebook and it states it is active at a town 100 kms away and have not been to that town for 30 years- do a security check with Facebook and haveibeenpwned - the FB Page has not been noted as a leak - so don't know who to trust!

Funnily enough I just ran in to this issue this morning. I was logging in to the management console of a switch on a hardened network that has no access to the internet. Local wifi access to the switch and it is a 24 random character password and is only used on this specific switch. haveibeenpwned lists it as good. I’m more inclined to believe that ios just doesn’t like the fact that the password is more than a year old.. Even then, I’m not too worried about it because they would first have to gain access to my server room and get on the local network to access the switch and THEN figure out what the 20 character username is..

But to keep passwords for every websites is insane. How can we remember those passwords? If this is the solution then it sucks. Normal people can't remember each and every password (now you will tell that you don't have to remember the password but instead your phone or computer will do it. Unfortunately, Life is not that simple.

Cyber researchers have to work more hard on solving this problem.

I was informed by Apple that all my passwords were part of a data leak. I don’t use my Apple password for anything except for Apple which means that they had the data leak. They are also telling me that every other password I have was leaked so they leaked all of my passwords?! What the heck happened?!

One other odd thing is they warn me about one of my passwords because it contains a common word, fair enough, but the “common word” they show is part of the password that contains two special characters so it’s not a word at all.

Any compromised password has an associated user ID, and also the account it was harvested from. So if you have a password that is on the list anyone who buys your record from the stolen database can access the associated site - unless you also have 2 factor authentication.

Thanks - would you agree the iOS 14 alerts are confusing in only mentioning the password then?

Fortunately those that appear for me have additional precautions such as texted phone codes, but it's all rather disconcerting if the site owners (some credit cards) haven't figured out their login data has been compromised!

Hey guys i got the same message so i clicked on it and it took me to the page with all leaked sites. I was gonna change all my passwords later so i turned my phone off. But now i can’t find the page again to change my password. Do y’all know where it is?

Well. If 1password, Bitwarden, and Google don't flag my password, guess what I'm assuming? It's a false positive. Sure, you can change tour password but if it's an iTunes account it's usually a RPIA to manually enter it those stupid times Apple won't let you use their own password auto fill.

You also should be mindful that we don't know what haveibeenpwned does with the passwords or email addresses you enter to check. Is the search performed on RAM servers or is there a log? If it's the latter, everyone who has done a search on their site is at risk. Just saying.

Just a reminder. The Apple warning may be a false positive. As a few others have chimed in, Apple support says the same and they just want you to change your password. They're inciting fear which is a terrible thing. But it's ok. Insurrection and incitement is perfectly acceptable in the West.

Also, anytime you enter your password online to sites which check for password breaches, you're opening up yourself to being compromised. I suggest after you do this, you change your password anyway.

And to the Apple missionaries and activists, Apple is playing you if you believe they genuinely care about our privacy. They may care more than Huawei or Google, but they still can't be trusted completely. They don't have their own special forces unit or exclusive database that checks your password for breaches. They use what everyone else does.

"I’d tend to expect that Apple uses their own password servers and data collection, possibly proxying into haveibeenpwned or other services. Apple generates a lot of network traffic, and even light traffic from a billion devices would bury many online network services."

And how would only Apple identify compromised passwords that even security companies don't? If anything, they might flag a weaker password as compromised.

As others have said, many times your password isn't compromised. Apple wants you to change it for any number of reasons other than that.

Instead of saying specifically why, they just falsely say it's compromised. That's fear mongering and lying.

If one has common password, let’s say “qwerty”, one will with 100% probability get warning about breached password. But it only means that this common password has appeared in some data leak. Most likely it has appeared in some other users username/password combination. So it doesn’t mean that your own username/password has leaked. It only means that someone somewhere used “qwerty” as password in some site that got hacked.

I’ve had this problem ever since updating to iOS 14.4. Different logins, different passwords, every time I login with Apple stored password this message pops up. It seems that the problem is not with an individual logins but with Apple, either with their settings for password storage, or a leak from iCloud that Apple hasn’t yet disclosed.