How can 50+ passwords be comprised- has apple been hacked?

The fact that your Mac states your passwords are compromised does not in any way mean the accounts they belong to were hacked.

It means they have been somehow leaked from some website or online service that had them and have appeared in the lists Apple has access to of leaked passwords. It does not mean anyone has used them yet, or has accessed Apple services. More likely leaked from any other service you may be using that may have been actually hacked before. Like Target for instance.

You would do well to change them to something else.

Also there is a difference between being compromised, ie found in a leak and being reused or easily guessed which Apple will also inform you about in the same way, via an exclamation point in a triangle icon.

You can go through your passwords and determine which are worth changing and which are not.

It's highly unlikely Apple's iCloud would be hacked like that. It uses much higher security than most other services. It's one of the few online services to not have been actually hacked yet. Also, everything on Apple's iCloud services is encrypted so even if it were hacked, it would just be a mess of jumbled data with no real way to decrypt.

Liquid46 wrote:

...

Knock on wood, but in 25+ years of owning Macs Ive never had a breach or a leak until Big Sur.

Nope. In 25+ years it is incredibly unlikely your passwords haven't ever been leaked, it's just that up until recently Apple did not warn people about it. So nobody knew if they were or were not leaked.

The fact you did not know about it does not mean it did not happen. Now Apple offers warnings which you are of course free to ignore if you want to.

I for one appreciate being informed about potential threats so I can do something about it.

The effect would be negligible if it was not being actively used to hack you. It appears to be faux security as Apple is sniffing your keychains now to compare it to a list we all want to know where exactly this list is and is appearing and who else has access to this data????

The list is out in the wild, it means anyone out there could have access to it. Its not Faux security, its preemptive security. That is, you can do something before your account is actually accessed. Your account is not hacked, it's accessed because they have the information required to access it just like you would. If you change said information before thy access it, then you mitigate or negate the issue before it actually happens.

From link-> Passwords & Privacy - Apple Support

Your device may also inform you of passwords that may have been compromised in a data breach. This feature uses strong cryptographic techniques to regularly check derivations of your passwords against a list of breached passwords in a secure and private way that doesn’t reveal to Apple your accounts or passwords. Apple will send to your device a list of common passwords that are present in data breaches. For your passwords that are not in this list, your device will send information calculated from your passwords to Apple to check if the passwords may be present in a data breach. You will be warned about your passwords determined to possibly be in a data breach. Your actual passwords are never shared with Apple, and Apple does not store the information calculated from your passwords. You can disable this feature at any time by going to Settings > Passwords > Security Recommendations.

You are entirely free to act on the security recommendations provided by Apple or not. But it's dumb in this day an age to think that it's not going happen or cannot happen to you. It's better to be prepared, then regret it later.

PleaseHelpme17 wrote:

... Is 'hacked' and 'appeared in a leak' not the same thing?

...

No. Its like saying a thief has house keys to enter 50 houses. or a thief has broken in to 50 houses. Having the key to the house, does not mean the house has been burglarized "yet"... Just that a thief can access 50 different houses. Not that he broke into them already.

Having your password leaked does not mean anyone hacked your account specifically. It means it's part of a list of accounts that were obtained from somewhere and are now out in the wild but may not have been used to access said account yet. Your accounts themselves are unlikely to have been hacked to get this information.

Update the account password for those that appear as having been leaked to make sure the thieves that do have them cannot use them, because they would no longer be valid credentials once you change them.

Liquid46,

Anti-virus software and other protections on your computer won’t stop an account compromise. You need to protect the accounts themselves, not the device you use to access them.

Regarding the password checks, Apple checks your passwords against an internal database in a private and secure manner. The process is designed so that Apple cannot learn what your real passwords are. Keep in mind, a leaked password doesn’t mean that your account is hacked yet. For more info: Password Monitoring - Apple Support (CA)

As mentioned earlier, the best way to protect online accounts is to set up MFA for each one (or at least the important ones). This may seem tedious now, but you’ll be thanking yourself the next time one of your friends has to deal with their accounts being hacked.

Hi Charli,

Apple devices use a secure process to periodically check whether your passwords appeared in a data leak: Password Monitoring - Apple Support (CA)

To create strong passwords, I recommend the following:

• Use a password manager, and let the password manager generate a secure password for each account (except for a few important ones). iCloud Keychain qualifies as a password manager, and Safari can generate secure passwords when you create new accounts or reset a password.

• For your most important accounts, use passphrases, not passwords. A passphrase is exactly what it implies: it's a series of words that is far easier to remember than a long, complicated password. To make a passphrase even stronger, add in some numbers and/or symbols in appropriate places.

• Turn on multi-factor authentication (MFA) wherever possible. According to Microsoft, MFA shuts down 99% of account compromise attempts. This is because no matter how your password may have been leaked, it isn't enough to get in; you need a second factor (your phone) as well.

I don't remember which one by name, but the last "hack" meant I needed to change 23 passwords. Or 27, I don't remember which.

The problem was nobody knew exactly which of anybody's accounts had suddenly been exposed and therefore vulnerable; solution: change them all.

It's a hassle, but it's also the way it is when both systems and humans are not perfect. You have to have an "escape plan", not a foolproof "life plan". Hope for the best, but plan for the worst.

Data leaks are common in this times unfortunately. With big data leaks happening, it can be that multiple passwords are leaked.

I always change every password after a leak, or random every month

Not the same things very true. However, the effect on a computer user can be the exact same.

Being available as public knowledge and being used maliciously are different. It's a matter of intent; not facts.

I think Apple is harming productivity and adding paranoia with this type of a prompt. I have anti-virus and all of the protections I need without Apple telling me to change 50+ passwords - hours and hours of unpaid needless work - for no good reason.

I need to know where my data was leaked specifically. As in, they know so why is that data not shared? Or is it an unprovable assumption and Apple is the primary owner with keychain access more than any other possible system out there and sniffing my passwords in the firstplace.... hmmmmm.

Knock on wood, but in 25+ years of owning Macs Ive never had a breach or a leak until Big Sur.

The effect would be negligible if it was not being actively used to hack you. It appears to be faux security as Apple is sniffing your keychains now to compare it to a list we all want to know where exactly this list is and is appearing and who else has access to this data????