Is there any way to find out what website the data leak was from when getting this on my iphone settings?
I want to find the culprit for me now having to change my password used on 59 other sites
[Re-Titled by Moderator]
iPhone 11
No, the problem is not with Apple. Apple is simply the messenger, telling you that a password (or passwords) that you have used have been found in published lists of passwords that have been stolen from various online sites. There are databases that are built by cybersecurity companies going to the dark web and seeing what stolen information is offered for sale by various criminal enterprises. Google offers a similar feature in Chrome, and the site https://haveibeenpwned.com can also tell you if a password that you use has been found in login information stolen from other sites.
If you want to learn about the hundreds of sites that have been hacked (many of which you probably use) Brian Krebs reports on the latest ones: https://krebsonsecurity.com. Some of the largest include Equifax, Marriott Hotels, the US Government’s personnel management agency, and many chain restaurants. And the most recent is almost all sites worldwide that use Microsoft Exchange.
My point was, that when you get the "This password has appeared in a data leak" warning, it only means, what it literally says. Password has appeared in a data leak. It does not necessarily mean that _your_ username/password combination has appeared in a data leak. If you have a common password, it will very probably appear in some data leak, because some other user has used it.
Of course. But if username Bob has password “qwerty” in a site A and username Alice has password “qwerty “in site B and site B gets hacked, Bob will get warning “This password has appeared in a data leak” although Bob’s username/password pair is not hacked.
It is true, that there are different warnings for commonly-used passwords and leaked passwords, but that does not prove your point :) Again, it only tells that certain password is commonly used, but not leaked. Many commonly used passwords are also leaked (since commonly used passwords are by definition used commonly) and then Bob gets warning, if Alice's password is leaked in some other site.
Hello Stulynn1000 - could you help update me how you resolved this, I've had exactly the same breach - same scenario and have been very worried whether my keychain has been hacked, rather than the leaks on the third party sites. It's too coincidental that as many (65+ breaches in my case), have been involved in a breach all simultaneously AND the passwords are not the same. Many thanks!
"Apple specifically labels weak passwords as weak passwords. Weak. Not as breached passwords".
Yes, and Apple also specifically says "This password has appeared in a data breach". Apple does not say "These username and password have appeared in a data breach".
Weak password is weak (i.e. short) password and password that has appeared in a data breach is a password that has appeared in a data brach. Nothing less, nothing more. Apple does not say anything about username/password pairs.
I'm not telling people, what they should do.
But I understand, that you're not going to change your opinion and you of course have the right to do so :)
So I have read nearly all the replies in here. This is not directed to you but in general as I cant really find out where to write for general comment, but:
I first got a pop-up saying the password in disney+ Was involved in a data leak. Now Ive never gotten ANY notifs before this one and first thought it was a hoax. I then discovered the password section in settings - that Id never seen or heard about before. I had 10 passwords having been compromised etc and 55 warnings. I admit I do reuse some passwords on completely random sites, and switch and change where the numbers are located in the passwords etc. BUT: I do not at all use common passwords. I use specific ones that are personal to me - and refuse to think anyone could GUESS them. I decided to change the passwords for most of the 10 compromised ones, I deleted passwords on some of the 55 on sites I dont use often - thinking Id be asked for a password / or be told I had the incorrect password (since I deleted it) and had to change it. Apparently that worked for some sites, but in others I got in without any message (on the deleted password sites) Why does that not work?
And even worse: I did change my password on my email-address (Apple / Gmail) because I figured it was smart to change the most important once.
But what happened was: TODAY I get an e-mail and sms from Microsoft (seems to be the real address) saying Microsoft Account Security Alert - saying someone might have accessed my account!
i changed the password YESTERDAY - and this is the FIRST time I ever get this message about my account in I dunno 10 years? (Ive change passwords regularly when being told I should change due to long time with the same one)
also I too have checked haveibeenpwned and Ive only got 3 notes there. Same 3 for the five years Ive checked it. I changed my password in one of those back the first time - and hardlt ever use that site. As for the other Ive deleted the app coz I never used it. Cant remember the third now.
but yeah the 10 compromised ones are on totally random accounts and a few are saw password. I also got on my sons account ....
So smth does not ring right to me!
All this: do you want to save the password?
ofc we do! We want to remember the passwords! But I feel these things might end up getting us breached and leaked in the end...
Anyway had microsfot account for I dunno 20 years (?) changed passwords regularly - never (or max once) had a breach/leak, changing for the first time in a year yesterday and boom: someone else might use my account? Excuse me but wtf?
I have just received this notification too. From the date I started recent accounts across different services it is very obvious that the data leak can only have come from Google, Apple or Microsoft or a combination of all three.
Thanks for the reply. I have no doubt that the various functions described in your referral are in place. But the "warning" I've been getting doesn't particulary look like an Apple graphic. And, incidentally, I'm not getting them on my phone, although I'm not sure that would matter. But, if I were looking to gather passwords nefariously, this would be an excellent way to do it.
Thanks again.
Hi, Achi - thanks for taking the time to reply in such detail to the original poster. It's been a couple of weeks since I posted my reply, and I haven't received 'the notice' again in that time...I posted as a warning that the notices - at least some of them - might themselves be attempts to get people to reveal their info, and I still think so. The "urgency" with which some of the responders press you to address it could be a good thing, or it could be - when they then refer you to commercial sites of possibly dubious nature - another sign.
Personally, I DO use Apple's password generator, and have only a couple unused passwords from the distant past.
Again, I'm sure this is a valid issue, but I'm not completely confident about some of the suggested "cures".
The culprit is you, in no way is it a good idea to use the same password on 60 sites.
It would likely be very expensive to pursue your quest and may result in no information.
I got the Data Leak message as well. Apart from changing the passwords, should I also reset my phone?
Safe to assume they got your username if they got the password.
They are in the same database.
Thank you!!
Which is why I clearly stated so after receiving that response.
Well, I guess Apple has access to a different list of compromised passwords, then.
"This password has appeared in a data leak" notice on iPhone
