nausky wrote:
Exact same situation here. Silence on this is pretty annoying since companies are supposed to disclose when they leak data.
Have you even considered that you might have accidentally disclosed your AppleID credentials - or perhaps are using the same username (i.e., your email address) and password for a different website or service? If so, this might account for what might appear to be compromised AppleID credentials.
Any credentials stored within your Keychain are not accessible to Apple - as the Keychain is protected by end-to-end encryption. To access the Keychain data, you require an encryption key that is only stored on your own devices within their respective Secure Enclave (i.e., the device's Security chip).
Similarly, Apple doesn't actually store your AppleID Password - but instead uses a one-way (i.e., irreversible) "hash" of your account password. Even if the "hash" was somehow breached, it is impossible to discover the original Password from the hashed-value itself.
In simple terms, when you sign-in to Apple, the Password that you provide during the sign-in attempt is used to generate another "hash" value - and this computed value is compared with the value already stored by Apple. If the values match, you are granted access; if not, the Password is incorrect and the sign-in attempt will fail. Game over.