Is there any way to find out what website the data leak was from when getting this on my iphone settings?
I want to find the culprit for me now having to change my password used on 59 other sites
[Re-Titled by Moderator]
iPhone 11
No, the problem is not with Apple. Apple is simply the messenger, telling you that a password (or passwords) that you have used have been found in published lists of passwords that have been stolen from various online sites. There are databases that are built by cybersecurity companies going to the dark web and seeing what stolen information is offered for sale by various criminal enterprises. Google offers a similar feature in Chrome, and the site https://haveibeenpwned.com can also tell you if a password that you use has been found in login information stolen from other sites.
If you want to learn about the hundreds of sites that have been hacked (many of which you probably use) Brian Krebs reports on the latest ones: https://krebsonsecurity.com. Some of the largest include Equifax, Marriott Hotels, the US Government’s personnel management agency, and many chain restaurants. And the most recent is almost all sites worldwide that use Microsoft Exchange.
So you are advocating NOT changing a password that has been leaked?
I’ll change passwords flagged as breached, and recommend others here do the same.
I don’t argue with that 🙂 My point is only, what that warning means.
”If a password you use has been used by someone else, considering that there are trillions and more of possible passwords, it’s a weak password”
You’re right. I’m just discussing the mechanism.
This is the million dollar question no one else is asking. How does Apple know?
You just contradicted yourself by saying you trust apple over only her websites about your passwords. If you don’t trust one you shouldn’t trust any of them period.
I doubt that I’m ACTUALLY using that many sites with that password. A lot of the important sites make you frequently change your password and it could be that more than not it’s just an old password still saved on my iphone passwords. But I was just curious, culprit as joking it’s not that serious.
Yes. My question is where is that list ? How can it be different to the standard list everyone uses ? Unless it is a list of passwords Apple themselves have released in some way why would they know more ?
I don't know whether this answer has been suggested - I didn't read the whole thread...but I'd like to suggest that perhaps the "warning" IS the scam, like some sort of MLM fiddle, where, if you use the warning itself to initiate the password updates, that's when you are actually breaching your own security and handing the scammers your passwords. If you're really concerned about it, I suggest never following the warning's link, but restarting and then going to sites that require your password directly, as you normally would, and change them then.
Otherwise, I think the "warning" is BS, and is, in fact, the danger.
Hi
I have received this notification too although I use a password manager as well as having checked on HaveIbeenpawned and neither of them report a problem.
Some of these at least are clearly linked to the email address not the password.
I know this because about 4 years ago one of my email addresses was compromised in a data breach and that was reported to me by my password manager.
I retired the address and changed all the passwords associated with it.and it is mostly very old passwords I changed long ago associated with this email which are being flagged.
To be clear, the email is the same but the passwords are all different.
So I suggest you also check that the email address in the notification has not been compromised.
There are also a couple of other old passwords which are frankly a bit simple and just happen to be the same as ones leaked from someone else. I'm happy to say none of my very strong unique passwords created by a password generator have been leaked and that's really the way you need to go.
Why Apple and not the other sites? I think Apple's reach is bigger. Considering how many devices it has supplied and every one of them signs into their cloud for something. Find my phone, email, register a product, photos, music. All using their servers for something.
Best
You make a very important point and I hadn't picked up on that.
Definitely, sometimes when you get a notification saying a password has been compromised it's a scam.
Same as when you get a pop-up saying your mac is full of malware. There was one someone posted here that looked very much like a scam
Similarly, be careful checking passwords. I think 'Have I been Pawned' is ok but there are sites that are collecting them so you may actually be giving them away when you enter them to be tested.
If your machine is compromised and has a keylogger installed, then changing your password will only give the baddies your new password so you need to occasionally run some anti-malware and Malwarebytes is respectable for the mac. You can run it for free.
So if you are getting notifications make sure they are really from Apple and you can do that by the following:
If you are on the phone then got to Settings>passwords and security alerts can be found there. (settings is the gearwheel if you aren't sure)
If you are on the mac then in Safari, on the 'Safari' tab on the top left address bar go preferences>passwords and you'll find a triangle next to any passwords they are flagging you about. which will give you more info when you click on it.
These Apple ones you can be sure of .
People should really use Keychain and allow it to generate strong, unique passwords.
Or a password manager if you want to use iOS and Android or Mac and Windows or if you want to use another browser other than Safari.
People worry about storing passwords in the cloud like in Keychain or a password manager, but if you have used them to log into something on the net then they are all out there stored in cyberspace anyway.
Where they are stored is less important than how difficult they are to get into and the sort of encryption and security Apple and the likes of Dashlane and 1password put into it is far greater than for the guy selling dogfood online working out of a broom cupboard, your dentist or even your lawyer!
Best wishes and thanks for the nice reply.
Did you check the passwords on have ibeenpwned or the user IDs?
That is their idea I suppose. You could use LastPass instead which works across different platforms.
"This password has appeared in a data leak" notice on iPhone
