Password in data leak

Should I be worried? Or is it possible that it is something that happened a long time ago and due to the update it is just telling me now? I just need to know if I should change all 100 of my passwords cause apple clearly won’t help

Ever heard about ‘have i been pwned?’ service? If not then look it up. As this is pretty much what you iPhone is doing; it is checking if any of services you have account has been pwned then possibly checks date last time you updated your password. If date of your last password update is greater than date when service was pwned then you’ll see the warning on your device.

You shouldn’t re-use the same password on different services. Use iCloud Keychain, or other password manager to generate passwords for you.

I found the same message after I purchased 2 TB of iCloud storage, coincided with update. I had 443 alerts under Settings-Passwords listing every single account with a Safari memorized password. Apple support tech looked at his own phone and found similar messages specifically stating "This password has appeared in a data leak, which puts this account at high risk of compromise. You should change your password immediately." He was alarmed and promised

Apple Security and Privacy Department would call me about 4 days later, which they did not do. Called again yesterday and spent another hour on the phone, meticulous notes by tech, promising a phone call this morning which again did not occur. Called apple again, got connected to Security and Privacy at last, and technician who had no time to review the notes on the account, played it down like it's a generic alert that I could turn off if it bothered me. The wording is too specific to be nothing. What else could this be but an iCloud leak? Or are the Apple engineers that loose with the English language?

I used the safari-generated, strong password yesterday to update one of my frequently used websites. I did this from a new MacBook Air (BigSur 11.2). Today, as I was troubleshooting synch issues between mac and iPhone 12, the iPhone password manager warned me that this same website password had been compromised - the 'strong' password that I just updated yesterday. And I confirmed that both phone and laptop saved the new safari generated pw. No one else uses my devices. I guess it's possible that in less than 24 hours there was a data leak - or is there a glitch in the password manager that is giving me this warning message?

It’s a new feature built into iOS 14.

From iOS 14 User Guide (https://support.apple.com/en-ie/guide/iphone/iphd5d8daf4f/ios):

iPhone also securely monitors your passwords and alerts you if they appear in known data leaks. If you don’t want iPhone to perform this monitoring, go to Settings > Passwords > Security Recommendations, then turn off Detect Compromised Passwords.

I'm seeing that everyone is experiencing this only on iPhone. This notification came up on my Mac earlier today when I visited a website I frequent. It alarmed me, I've never seen anything like that before.

Well it's easy to explain. The leak occurred somewhen. And since this leak was discovered, the passwords from that leak are known.

So all leaked passwords (12345678, secret, password, ....) are stored in a public database - without relation to a user account.

And the new feature of the iPhone (and Mac) knows your stored passwords and matches them against the known database with the leaked passwords.

But don't be afraid! They scramble your password into an unique identifier. "secret" will be for example something like this "324*234çç5*ç%LFJ*OJç" (varies and depends on the algorithm). And the same is done on the other side.

If there's a match, you'll be alarmed by the new feature.

So, it could also be, that someone else was hacked and this guy used the same password "secret". In any case, it's an indicator, that your password strength seems not to be very good and you should consider changing it.

Also, you should not use the same password for different accounts.

I received the same notification on my iPad Pro in December 2020. I had just bought the iPad a few months prior, so I only had a couple dozen passwords to change, which I did. What is more troubling to me is that now, a month after I changed my passwords and used them a few times each, I’m now getting the exact warning notification again on a handful of websites that I just changed the password last month. Is anyone else experiencing this?

The same has happened to me, except over 40 new notifications. I’ve been trying to change passwords from my iphone and several of them have been very glitchy and will say I’ve saved new password but then lock me out when I try to log back in. And neither password works now. It is starting to freak me out.

I just purchased a new iphone12 and and have the same warning about my password. It says I need to change 102 account passwords. I tried to do it on two accounts and was unsuccessful too! Not sure what to do at this point, change every single account password? Where do I start with this new found issue?

I scrolled through and a lot of mine were really old sites that I have not engaged with in years. I changed all of the passwords for sites I use regularly or even once in a while, but didn’t bother with the rest. It’s alarming that passwords are so easily obtained. I’m setting reminders to go in and change all of my critical ones on a monthly basis in hopes that it will improve my odds. I didn’t change any of my passwords using the embedded link in the alert on my phone. I used my laptop and went to each site directly.

I know this makes sense but what happens in a type of situation where your phone is stolen or lost or broken and then you have to use a loaner or try and set up new phone... is keychains or the autogenerated passwords going to be accessible?

Knowing my password and having it written down has seemed to save my butt in such an unfortunate event... that being said.. I can’t remember 104 different passwords and so I am going to obviously reuse. Do you think apple just warms you that it could be a leak if you have reused the same one too many times?

lantaul wrote:

I know this makes sense but what happens in a type of situation where your phone is stolen or lost or broken and then you have to use a loaner or try and set up new phone... is keychains or the autogenerated passwords going to be accessible?

With iCloud Keychain enabled, yes.

With iCloud backups or with local backups, yes.

If you’re fond of operating without backups, then no.

But without backups, photos and other contents can (will) be lost when a device is lost or stolen or damaged, too.