Password in data leak

lantaul wrote:

...I can’t remember 104 different passwords and so I am going to obviously reuse. Do you think apple just warms you that it could be a leak if you have reused the same one too many times?

Apple tells you want the particular password exposure is for each. See Settings > Passwords > Security Recommendations

lantaul wrote:

I know this makes sense but what happens in a type of situation where your phone is stolen or lost or broken and then you have to use a loaner or try and set up new phone... is keychains or the autogenerated passwords going to be accessible?

You can sync the replacement phone to iCloud to sync the passwords stored in Keychain. If you are really worried when you have Keychain generate a password you can look it up in Settings/Passwords and write it down or save it to a document or (password protected) spreadsheet.

Thank you for your response.

No, so if I wanted to change alllllll of my passwords to keychain... I would never get an alert or warning of a leak?

And if I choose to change them all I would have to do each one individually... Log in to each website and go through settings and try and figure out this keychain thing? Gosh, I hate I don’t know how to use all of the bonus features to my phone. Or pretty much all technology. Geez!! Lol

lantaul wrote:

Thank you for your response.

No, so if I wanted to change alllllll of my passwords to keychain... I would never get an alert or warning of a leak?

And if I choose to change them all I would have to do each one individually... Log in to each website and go through settings and try and figure out this keychain thing? Gosh, I hate I don’t know how to use all of the bonus features to my phone. Or pretty much all technology. Geez!! Lol

Go to.

Settings > Passwords > Security Recommendations

...Follow the directions for each password involved.

Hi were you able to identify what it meant ? I just got that pop up today too . One where it showed all my apps saying that they’re at risk and that I should change the password. It said password leaked . I’m really worried that someone actually has access to my passwords. Did you solve the issue ?

Kimmsolo wrote:

Hi were you able to identify what it meant ? I just got that pop up today too . One where it showed all my apps saying that they’re at risk and that I should change the password. It said password leaked . I’m really worried that someone actually has access to my passwords. Did you solve the issue ?

Please skim the replies in this thread.

Solving this issue involves changing one or more of your existing passwords to new and unique and preferably more robust passwords.

Getting warnings—each warning can have details of what happened—usually means a password was re-used across more than one website or service, and one (or more) of the places where that password was used—often with an email address to ide tify the user—leaked the email address and the associated password.

People (now including Apple) are building up databases of the email addresses, and each password associated with that address.

Some like Apple are notifying their users. Others are nefarious, and are using these same server breaches and the passwords exposed, and are trying these passwords across other services; what’s sometimes called “cramming”.

What to do?

Change your exposed password(s)to a new and unique value.

To see which passwords are involved:

If you’re on iPad or iPhone, use Settings > Passwords > Security Recommendations

On macOS, Safari > Preferences > Passwords can show you warnings on passwords

Some folks here might fear viruses and virus warnings and the “YOU HAVE A VIRUS” poo-ups, but it’s duplicated / re-used passwords that are how a whole lot of us are getting in trouble.

I also have data leaks message on iPhone 11 Pro Max ! But does not tell me where leak occurred ? Could it be from carrier initial setup on iphone be the cause because I also can not get on secure webpages or secure portals , my carrier states it is a Apple problem!!

There were many hundreds of businesses hacked in the past few years, so if you had an account with any of them your password was stolen as part of the attack. There is no way to know which of these corporate security breaches your account data was specifically stolen from, but if you know where you used the compromised passwords you can probably figure it out.

Lawrence Finch wrote:

There were many hundreds of businesses hacked in the past few years, so if you had an account with any of them your password was stolen as part of the attack. There is no way to know which of these corporate security breaches your account data was specifically stolen from, but if you know where you used the compromised passwords you can probably figure it out.

FWIW, the website linked previously does indicate which dump(s) included the email credentials.

MrHoffman wrote:

Lawrence Finch wrote:

There were many hundreds of businesses hacked in the past few years, so if you had an account with any of them your password was stolen as part of the attack. There is no way to know which of these corporate security breaches your account data was specifically stolen from, but if you know where you used the compromised passwords you can probably figure it out.

FWIW, the website linked previously does indicate which dump(s) included the email credentials.

Thanks; that may be a new feature; I hadn’t noticed it previously. Or maybe it’s just my inattention.

cathyand80 wrote:

My Apple ID or iCloud mail were not breached but my Gmail email has been breached by 3 places : Houzz, Modern Business Solutions and My heritage

And those same passwords, should they have been (re)used elsewhere in conjunction with any of your associated your email addresses.

Dead simple email matching addresses to start, and that’ll be followed by testing those passwords with any other email addresses the miscreants can associate with the breached email address.

This attack against password re-use is called cramming.

Some attackers rummaging mail or messages at other services with matching credentials pairs looking for yet more passwords or passcodes, too.

Andphrew wrote:

The same thing happened to me which got me thinking that maybe my entire phone is hacked... is that possible

Technically iPhone can be hacked, but that’s unlikely to be the case for most security issues, and that’s also not what the password-reuse messages are warning about. They’re warning about password re-use.

and if so what should I do?

Change to unique passwords across all services, preferably to robust passwords or generated passwords, use a password manager such as iCloud Keychain, and don’t re-use your chosen passwords.

Start the password change with the passwords flagged as having been exposed, those passwords usually exposed by server breaches where you’ve had accounts. Start with the highest-risk passwords and work through several of those passwords a day or more, or whatever works out for you to get those issues addressed soonest, and work your way through the backlog.

Why change passwords? Folks take your email address and all known associated passwords and the re-try those same credentials on pretty much any other network service on the Internet. Which will be a Bad Day for you, should your Apple ID password happen be one of those re-used passwords. This is called “cramming’, and—unlike fears that our iPhone might be getting hacked, and which is quite rare—mistakes such as password re-use are how many of us are getting in trouble.

NoahBruh wrote:

Yes, it’s happened to my iPhone too.

it hasn’t so much as happened to your iPhone, but rather the passwords that have been used used on your iPhone have been found in data leaks elsewhere, or are passwords with other related password security issues.

This re-use or weak passwords or such is then reported to you by your iPhone, to allow you to know about and upgrade your passwords.

These password diagnostics are fairly common, particularly among those of us that have re-used passwords that were, well, weak, or those of us that have reused a password exposed by a password breach elsewhere.

Various websites and services that many of us have used—services elsewhere on the Internet—have become breached, the passwords then exposed, and the miscreants then try these same passwords in logins across the rest of the Internet. Including, for instance, re-trying these breached-elsewhere logins and passwords as Apple IDs.

One of my throw-away passwords from a dozen years ago that was still present in my password Keychain ended up (through corporate acquisitions) at a completely different Internet service long after a breach at the original service, and some schmucks then re-tried that old password, and (almost) got in. With few exceptions, we’ve all been bad with a few passwords, and the server breaches are making that more of a problem.

What to do? Pick a couple of the most serious reported issues each a day or two, and fix them, or delete the accounts if they’re no longer relevant to you and your needs, and work your way through the backlog of bad passwords.

I’ve just had the same...

Have you gotten in touch with them yet about it?