You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Password in data leak

Hi, I’ve just checked on my passwords section on my iPhone 11 and it’s telling me my password has been detected on a data Leak and telling me I should change most of my passwords... is this right? Do I change them by clicking the link from my phone?

iPhone 11, iOS 14

Posted on Nov 17, 2020 12:12 PM

Reply
Question marked as Top-ranking reply

Posted on Dec 3, 2020 3:46 AM

Should I be worried? Or is it possible that it is something that happened a long time ago and due to the update it is just telling me now? I just need to know if I should change all 100 of my passwords cause apple clearly won’t help

41 replies

Dec 5, 2020 10:40 AM in response to Jamiewells394

Ever heard about ‘have i been pwned?’ service? If not then look it up. As this is pretty much what you iPhone is doing; it is checking if any of services you have account has been pwned then possibly checks date last time you updated your password. If date of your last password update is greater than date when service was pwned then you’ll see the warning on your device.


You shouldn’t re-use the same password on different services. Use iCloud Keychain, or other password manager to generate passwords for you.


Nov 20, 2020 10:16 AM in response to Hatty1001

I found the same message after I purchased 2 TB of iCloud storage, coincided with update. I had 443 alerts under Settings-Passwords listing every single account with a Safari memorized password. Apple support tech looked at his own phone and found similar messages specifically stating "This password has appeared in a data leak, which puts this account at high risk of compromise. You should change your password immediately." He was alarmed and promised

Apple Security and Privacy Department would call me about 4 days later, which they did not do. Called again yesterday and spent another hour on the phone, meticulous notes by tech, promising a phone call this morning which again did not occur. Called apple again, got connected to Security and Privacy at last, and technician who had no time to review the notes on the account, played it down like it's a generic alert that I could turn off if it bothered me. The wording is too specific to be nothing. What else could this be but an iCloud leak? Or are the Apple engineers that loose with the English language?

Feb 19, 2021 2:36 PM in response to Hatty1001

I used the safari-generated, strong password yesterday to update one of my frequently used websites. I did this from a new MacBook Air (BigSur 11.2). Today, as I was troubleshooting synch issues between mac and iPhone 12, the iPhone password manager warned me that this same website password had been compromised - the 'strong' password that I just updated yesterday. And I confirmed that both phone and laptop saved the new safari generated pw. No one else uses my devices. I guess it's possible that in less than 24 hours there was a data leak - or is there a glitch in the password manager that is giving me this warning message?

Nov 22, 2020 3:15 PM in response to Hatty1001

It’s a new feature built into iOS 14.


From iOS 14 User Guide (https://support.apple.com/en-ie/guide/iphone/iphd5d8daf4f/ios):


iPhone also securely monitors your passwords and alerts you if they appear in known data leaks. If you don’t want iPhone to perform this monitoring, go to Settings > Passwords > Security Recommendations, then turn off Detect Compromised Passwords.



Jan 4, 2021 7:27 AM in response to Hatty1001

Well it's easy to explain. The leak occurred somewhen. And since this leak was discovered, the passwords from that leak are known.

So all leaked passwords (12345678, secret, password, ....) are stored in a public database - without relation to a user account.

And the new feature of the iPhone (and Mac) knows your stored passwords and matches them against the known database with the leaked passwords.

But don't be afraid! They scramble your password into an unique identifier. "secret" will be for example something like this "324*234çç5*ç%LFJ*OJç" (varies and depends on the algorithm). And the same is done on the other side.

If there's a match, you'll be alarmed by the new feature.

So, it could also be, that someone else was hacked and this guy used the same password "secret". In any case, it's an indicator, that your password strength seems not to be very good and you should consider changing it.

Also, you should not use the same password for different accounts.

Jan 18, 2021 5:05 PM in response to Jamiewells394

I received the same notification on my iPad Pro in December 2020. I had just bought the iPad a few months prior, so I only had a couple dozen passwords to change, which I did. What is more troubling to me is that now, a month after I changed my passwords and used them a few times each, I’m now getting the exact warning notification again on a handful of websites that I just changed the password last month. Is anyone else experiencing this?

Feb 4, 2021 12:00 PM in response to Nk925

The same has happened to me, except over 40 new notifications. I’ve been trying to change passwords from my iphone and several of them have been very glitchy and will say I’ve saved new password but then lock me out when I try to log back in. And neither password works now. It is starting to freak me out.

Feb 4, 2021 4:03 PM in response to LJFDKDF

I just purchased a new iphone12 and and have the same warning about my password. It says I need to change 102 account passwords. I tried to do it on two accounts and was unsuccessful too! Not sure what to do at this point, change every single account password? Where do I start with this new found issue?

Feb 7, 2021 1:20 PM in response to amynbp

I scrolled through and a lot of mine were really old sites that I have not engaged with in years. I changed all of the passwords for sites I use regularly or even once in a while, but didn’t bother with the rest. It’s alarming that passwords are so easily obtained. I’m setting reminders to go in and change all of my critical ones on a monthly basis in hopes that it will improve my odds. I didn’t change any of my passwords using the embedded link in the alert on my phone. I used my laptop and went to each site directly.

Feb 20, 2021 3:43 PM in response to lantaul

lantaul wrote:

I know this makes sense but what happens in a type of situation where your phone is stolen or lost or broken and then you have to use a loaner or try and set up new phone... is keychains or the autogenerated passwords going to be accessible?


With iCloud Keychain enabled, yes.


With iCloud backups or with local backups, yes.


If you’re fond of operating without backups, then no.


But without backups, photos and other contents can (will) be lost when a device is lost or stolen or damaged, too.

Password in data leak

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.