Password leaks very often

Passwords are leaked when sites that you visit are hacked. Sadly, this happens all too frequently. Most companies have rather poor cybersecurity, because it costs money to do it right, and there is no return on investment from it. A few companies have outstanding security: Google, Apple, Microsoft. Some that should know better don’t such as Equifax (140 million customer accounts were stolen from them several years ago) T-Mobile had something like 60 million accounts stolen, Zynga (the game company), and there are new reports regularly of hacked sites.

Generally it will be identical, as the probability of 2 passwords generating the same hash is possible but very unlikely. And similar doesn’t count. To use your example, “apple1029” and “apple1030” will generate totally different hashes. But I can imagine many users thinking apple1029 might be a chosen password. I’m sure there are lots of people whose birthday is October 29 and who access Apple’s site.

Using the standard SHA256 hash algorithm that many sites use:

apple1029: ba054a50af19449b515149b41122e33f514e3adb68e548edc2b8a4fad3f492c8
apple1030: 05acffad024480bd5758e4b6b3a3e838aa52175374424face4e940d702669a04

(above generated using https://md5hashing.net/hash/sha256)

I leave it as an exercise to the reader to reverse engineer the above hashes (you can do it on the same site). If there is more than one possible value the site will list all of them.

Yes, you should change any that you received warnings about. Your iPhone will generate strong passwords for you, if you want. If you create them yourself they should be long (12-20 characters). One popular and relatively secure way is to use 2 unrelated words and and a number. Adding a special character is a good idea: for example, Nifty873Comet! (which is not a password I use, BTW 😏)

https://support.apple.com/en-us/HT212195