this password has appeared in a data leak что это
Question: Q: Password in data leak
Hi, I’ve just checked on my passwords section on my iPhone 11 and it’s telling me my password has been detected on a data Leak and telling me I should change most of my passwords. is this right? Do I change them by clicking the link from my phone?
Posted on Nov 17, 2020 12:12 PM
All replies
I found the same message after I purchased 2 TB of iCloud storage, coincided with update. I had 443 alerts under Settings-Passwords listing every single account with a Safari memorized password. Apple support tech looked at his own phone and found similar messages specifically stating «This password has appeared in a data leak, which puts this account at high risk of compromise. You should change your password immediately.» He was alarmed and promised
Apple Security and Privacy Department would call me about 4 days later, which they did not do. Called again yesterday and spent another hour on the phone, meticulous notes by tech, promising a phone call this morning which again did not occur. Called apple again, got connected to Security and Privacy at last, and technician who had no time to review the notes on the account, played it down like it’s a generic alert that I could turn off if it bothered me. The wording is too specific to be nothing. What else could this be but an iCloud leak? Or are the Apple engineers that loose with the English language?
Nov 20, 2020 10:16 AM
It does seem very strange that Apple can’t give an explanation as to why we have got a message stating that a data leak has occurred.
I too will follow it up, thank you for taking time to reply and letting me know I’m not the only one
Your browser is out of date.
We highly encourage you to update your browser to the latest version of Internet Explorer, or use another browser such as Google Chrome or Mozilla Firefox.
Don’t have an account yet? Sign up now
Iphone message «this password has appeared in a data leak. «
Jun 4th, 2021 10:19 am
Iphone message «this password has appeared in a data leak. «
Yesterday I received this message on my iphone «This password has appeared in a data leak, which puts this account at high risk of compromise. You should change your password immediately» and it’s asking me to change 89 passwords on different sites.
Many of the passwords are not the same although a few are. Does this mean that 89 of my passwords were compromised? How? I did google it but I still don’t fully understand.
Jun 4th, 2021 10:29 am
Jun 4th, 2021 10:43 am
Jun 4th, 2021 11:04 am
Jun 4th, 2021 11:18 am
Jun 4th, 2021 11:25 am
Jun 4th, 2021 11:27 am
Jun 4th, 2021 11:30 am
89 derivations of your passwords, doesn’t reveal your password information to Apple
Jun 4th, 2021 11:33 am
Dhanushan wrote: ↑ 89 derivations of your passwords, doesn’t reveal your password information to Apple
Jun 4th, 2021 12:44 pm
Jun 4th, 2021 1:15 pm
Jun 4th, 2021 1:20 pm
This is making less and less sense because that’s not how passwords and hashing work.
If you hash your password of «password» you get:
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
But if you derive «passw0rd» from it, you get:
8f0e2f76e22b43e2855189877e7dc1e1e7d98c226c95db247cd1d547928334a9
Which is a completely different hash.
So Apple at some point has to get your original password (even in hash form) otherwise it makes no sense.
Even if «password» was compromised, a password like «passw0rd!1» might not be.
As a real life example, I recently signed up for Petro Points. Their password rules state (among others) that your password cannot be «Petro123» so I made mine «Petro124» just because.
Jun 4th, 2021 1:22 pm
Even if it was compromised, every website has a unique password so the only password they got was that one.
Jun 4th, 2021 1:24 pm
Jun 4th, 2021 2:13 pm
And that’s what I meant. OK, the front page asks for an email or phone number. But you can also check if your password was compromised: https://haveibeenpwned.com/Passwords
I don’t feel comfortable entering either on the website I don’t know much about. Do you? They get this this information once you enter it.
Jun 4th, 2021 2:19 pm
alpovs wrote: ↑ And that’s what I meant. OK, the front page asks for an email or phone number. But you can also check if your password was compromised: https://haveibeenpwned.com/Passwords
I don’t feel comfortable entering either on the website I don’t know much about. Do you? They get this this information once you enter it.
Your browser is out of date.
We highly encourage you to update your browser to the latest version of Internet Explorer, or use another browser such as Google Chrome or Mozilla Firefox.
Don’t have an account yet? Sign up now
Iphone message «this password has appeared in a data leak. «
Jun 4th, 2021 3:12 pm
The most secure online way would be a self hosted instance of Keepass.
It’s open source and can utilize a variety of communication protocols.
For me for example, it lives on a secure file server that’s only accessible via VPN. So I have no reliance on anyone but myself which is both a very good and very bad thing.
It’s better than paper (which can get lost, isn’t easily updated, isn’t remotely viewable, etc) and better than other password managers which have a host of problems not limited to being closed source, being insecure, being a paid product, being someone else’s project which you’re subject to the whims of, and as you mentioned before you’re trusting a 3rd party with your active passwords.
Jun 4th, 2021 3:21 pm
death_hawk wrote: ↑ The most secure online way would be a self hosted instance of Keepass.
It’s open source and can utilize a variety of communication protocols.
For me for example, it lives on a secure file server that’s only accessible via VPN. So I have no reliance on anyone but myself which is both a very good and very bad thing.
It’s better than paper (which can get lost, isn’t easily updated, isn’t remotely viewable, etc) and better than other password managers which have a host of problems not limited to being closed source, being insecure, being a paid product, being someone else’s project which you’re subject to the whims of, and as you mentioned before you’re trusting a 3rd party with your active passwords.
Jun 4th, 2021 3:25 pm
I didn’t give any advice, so nobody should listen to me. And I don’t care.
So, do you think keeping your passwords on your phone is better?
Jun 4th, 2021 3:34 pm
alpovs wrote: ↑ I didn’t give any advice, so nobody should listen to me. And I don’t care.
So, do you think keeping your passwords on your phone is better?
Jun 4th, 2021 3:39 pm
Jun 4th, 2021 4:05 pm
Hm, I don’t use biometrics with Firefox.
2) Are you sure your phone doesn’t «backup» your passwords to «the cloud» before they are encrypted where they can be accessed by the cloud owner?
Jun 4th, 2021 4:13 pm
Jun 4th, 2021 4:18 pm
Jun 4th, 2021 4:27 pm
From what I’ve read, none of the good password managers keep your actual password in the cloud. They claim to keep the hashed or encrypted form of the password.
Then the password gets decrypted locally via the browser plugin or app, when you enter your master password.
I don’t think there’s any perfect password storing method.
The more security measures, the more inconvenient it is so even if you have the best security measures, it can get defeated by the user.
Enforced long passwords with upper and lower case letters, numbers, symbols? The password will end up on a sticky note and/or changed by 1 character every month.
My boss believes in not storing passwords electronically, and keeps a password notebook in a drawer.
But it’s inconvenient to go to the office to look up a password, so he uses the same passwords everywhere.
I’m just waiting for us to be hacked.
Even if you keep your password secure, sites could be hacked.
If you use the same email/password everywhere, hackers will find your other accounts.
But trying to remember a different password for every site would be difficult.
That’s where password managers are helpful, allowing you to generate a different password for each site.
For most users, unlocking an app with a fingerprint is the most effort they’re willing to make for security.
Question: Q: Password in data leak
Hi, I’ve just checked on my passwords section on my iPhone 11 and it’s telling me my password has been detected on a data Leak and telling me I should change most of my passwords. is this right? Do I change them by clicking the link from my phone?
Posted on Nov 17, 2020 12:12 PM
All replies
I found the same message after I purchased 2 TB of iCloud storage, coincided with update. I had 443 alerts under Settings-Passwords listing every single account with a Safari memorized password. Apple support tech looked at his own phone and found similar messages specifically stating «This password has appeared in a data leak, which puts this account at high risk of compromise. You should change your password immediately.» He was alarmed and promised
Apple Security and Privacy Department would call me about 4 days later, which they did not do. Called again yesterday and spent another hour on the phone, meticulous notes by tech, promising a phone call this morning which again did not occur. Called apple again, got connected to Security and Privacy at last, and technician who had no time to review the notes on the account, played it down like it’s a generic alert that I could turn off if it bothered me. The wording is too specific to be nothing. What else could this be but an iCloud leak? Or are the Apple engineers that loose with the English language?
Nov 20, 2020 10:16 AM
It does seem very strange that Apple can’t give an explanation as to why we have got a message stating that a data leak has occurred.
I too will follow it up, thank you for taking time to reply and letting me know I’m not the only one
Nov 20, 2020 1:13 PM
There’s more to the conversation
Loading page content
Page content loaded
There were many hundreds of businesses hacked in the past few years, so if you had an account with any of them your password was stolen as part of the attack. There is no way to know which of these corporate security breaches your account data was specifically stolen from, but if you know where you used the compromised passwords you can probably figure it out.
Feb 28, 2021 8:48 AM
There were many hundreds of businesses hacked in the past few years, so if you had an account with any of them your password was stolen as part of the attack. There is no way to know which of these corporate security breaches your account data was specifically stolen from, but if you know where you used the compromised passwords you can probably figure it out.
FWIW, the website linked previously does indicate which dump(s) included the email credentials.
Feb 28, 2021 8:51 AM
There were many hundreds of businesses hacked in the past few years, so if you had an account with any of them your password was stolen as part of the attack. There is no way to know which of these corporate security breaches your account data was specifically stolen from, but if you know where you used the compromised passwords you can probably figure it out.
FWIW, the website linked previously does indicate which dump(s) included the email credentials.
Thanks; that may be a new feature; I hadn’t noticed it previously. Or maybe it’s just my inattention.
Feb 28, 2021 8:53 AM
My Apple ID or iCloud mail were not breached but my Gmail email has been breached by 3 places : Houzz, Modern Business Solutions and My heritage
Feb 28, 2021 9:10 AM
You should change the password for those 3, and for any other sites where you might have reused those passwords.
Feb 28, 2021 9:13 AM
My Apple ID or iCloud mail were not breached but my Gmail email has been breached by 3 places : Houzz, Modern Business Solutions and My heritage
And those same passwords, should they have been (re)used elsewhere in conjunction with any of your associated your email addresses.
Dead simple email matching addresses to start, and that’ll be followed by testing those passwords with any other email addresses the miscreants can associate with the breached email address.
This attack against password re-use is called cramming.
Some attackers rummaging mail or messages at other services with matching credentials pairs looking for yet more passwords or passcodes, too.
Feb 28, 2021 9:38 AM
The same thing happened to me which got me thinking that maybe my entire phone is hacked. is that possible and if so what should I do?
It has nothing to do with your phone being hacked, which can’t happen. It means that the sites where you logged in with those passwords were hacked.
The same thing happened to me which got me thinking that maybe my entire phone is hacked. is that possible
Technically iPhone can be hacked, but that’s unlikely to be the case for most security issues, and that’s also not what the password-reuse messages are warning about. They’re warning about password re-use.
and if so what should I do?
Change to unique passwords across all services, preferably to robust passwords or generated passwords, use a password manager such as iCloud Keychain, and don’t re-use your chosen passwords.
Start the password change with the passwords flagged as having been exposed, those passwords usually exposed by server breaches where you’ve had accounts. Start with the highest-risk passwords and work through several of those passwords a day or more, or whatever works out for you to get those issues addressed soonest, and work your way through the backlog.
Why change passwords? Folks take your email address and all known associated passwords and the re-try those same credentials on pretty much any other network service on the Internet. Which will be a Bad Day for you, should your Apple ID password happen be one of those re-used passwords. This is called “cramming’, and—unlike fears that our iPhone might be getting hacked, and which is quite rare—mistakes such as password re-use are how many of us are getting in trouble.
Yes, it’s happened to my iPhone too.
Mar 9, 2021 11:55 PM
Yes, it’s happened to my iPhone too.
it hasn’t so much as happened to your iPhone, but rather the passwords that have been used used on your iPhone have been found in data leaks elsewhere, or are passwords with other related password security issues.
This re-use or weak passwords or such is then reported to you by your iPhone, to allow you to know about and upgrade your passwords.
These password diagnostics are fairly common, particularly among those of us that have re-used passwords that were, well, weak, or those of us that have reused a password exposed by a password breach elsewhere.
Various websites and services that many of us have used—services elsewhere on the Internet—have become breached, the passwords then exposed, and the miscreants then try these same passwords in logins across the rest of the Internet. Including, for instance, re-trying these breached-elsewhere logins and passwords as Apple IDs.
One of my throw-away passwords from a dozen years ago that was still present in my password Keychain ended up (through corporate acquisitions) at a completely different Internet service long after a breach at the original service, and some schmucks then re-tried that old password, and (almost) got in. With few exceptions, we’ve all been bad with a few passwords, and the server breaches are making that more of a problem.
What to do? Pick a couple of the most serious reported issues each a day or two, and fix them, or delete the accounts if they’re no longer relevant to you and your needs, and work your way through the backlog of bad passwords.
Question: Q: «This password has appeared in a data leak» notice on iPhone
Is there any way to find out what website the data leak was from when getting this on my iphone settings?
I want to find the culprit for me now having to change my password used on 59 other sites
[Re-Titled by Moderator]
Posted on Sep 29, 2020 9:22 AM
Okay, here’s how this scheme works. Some service gets breached. There are lots and lots of service breaches, too.
Every password associated with each account listed in that and in every other breach is then tried on every other service.
Re-use a password, and some miscreant will now have access to that service, and whatever additional access can be gained from there. Access ro an Apple,ID (and particularly one without two-factor enabled) is a Bad Day for the account holder, too.
Put differently. Duplicate passwords will get found, just as soon as there’s one been included in a server breach.
And if Apple is reporting this diagnostic, then the password is known to be associated with the account. Bad Day.
As for determining the number of breaches thar an email address has been found, see
Further reading over there will provide further background, too.
Resetting the phone is not necessary. Unique passwords are strongly suggested. Two-factor on important accounts such as your Apple ID, too.
Posted on Oct 1, 2020 7:13 PM
All replies
You will never find the culprit.
Look at the news, many websites and companies are breached.
Many of them don’t follow best practices of security by salting and hashing passwords.
It is estimated that 15 billion passwords are available to buy on the dark web.
Your best bet is to use a password generator to create a unique password for each and every website.
iOS has one built in, keychain:
You can also use a service such as 1password or lastpass.
Sep 29, 2020 10:28 AM
Oct 22, 2020 8:00 AM
There’s more to the conversation
Loading page content
Page content loaded
This is the million dollar question no one else is asking. How does Apple know?
Okay, here’s how this scheme works. Some service gets breached. There are lots and lots of service breaches, too.
Every password associated with each account listed in that and in every other breach is then tried on every other service.
Re-use a password, and some miscreant will now have access to that service, and whatever additional access can be gained from there. Access ro an Apple,ID (and particularly one without two-factor enabled) is a Bad Day for the account holder, too.
Put differently. Duplicate passwords will get found, just as soon as there’s one been included in a server breach.
And if Apple is reporting this diagnostic, then the password is known to be associated with the account. Bad Day.
As for determining the number of breaches thar an email address has been found, see
Further reading over there will provide further background, too.
Resetting the phone is not necessary. Unique passwords are strongly suggested. Two-factor on important accounts such as your Apple ID, too.
I have just received this notification too. From the date I started recent accounts across different services it is very obvious that the data leak can only have come from Google, Apple or Microsoft or a combination of all three.
Jul 23, 2021 9:11 PM
Otherwise, I think the «warning» is BS, and is, in fact, the danger.
Jul 31, 2021 5:52 PM
To summarize, the leaked password list that is used for the leaked password warning came from hundreds of sites that have been hacked over the past several years (remember Equifax, that had 150 million accounts stolen, or Marriott that had over 200 million?), and the passwords have been found for sale on the dark web. There’s also a site where you can check your passwords and user IDs to see if they are on compromised password lists→https://haveibeenpwned.com. Google also has access to leaked password lists, and if you store passwords with Chrome those will be checked against these lists also.
Jul 31, 2021 6:04 PM
I have just received this notification too. From the date I started recent accounts across different services it is very obvious that the data leak can only have come from Google, Apple or Microsoft or a combination of all three.
WRONG. Leaked passwords have not come from Google, Apple or Microsoft. They have come from hundreds of businesses and sites that have been hacked over the past few years. Like Equifax, Marriott, Zynga, and hundreds of others.
Jul 31, 2021 6:06 PM
Thanks for the reply. I have no doubt that the various functions described in your referral are in place. But the «warning» I’ve been getting doesn’t particulary look like an Apple graphic. And, incidentally, I’m not getting them on my phone, although I’m not sure that would matter. But, if I were looking to gather passwords nefariously, this would be an excellent way to do it.
Jul 31, 2021 6:09 PM
For implementation details, see:
On iOS and iPadOS, see: Settings > Passwords > Security Recommendations
On macOS, it’s hidden in Safari > Preferences > Passwords
If you’re getting notifications, one or more of your passwords may well be headed for trouble,
Jul 31, 2021 7:45 PM
haveibeenpwned contacts multiple famous services such as wattpad and mathway, etc to see if they have been exposed to hackers and accounts have been sold or leaked, and might also confirm that your email or phone-number is part of that list.
This methodology has some limitations however, as it relies on companies actually admitting and giving a record of emails stating that they have been hacked.
Contrastingly Apple’s Keychain services use a different method. Like many VPN services like NordVPN, Keychain actually references many deep web links to compromised accounts and immediately contacts the owner. Quote:
«To verify whether a password not present in the local list is a match involves some interaction with Apple servers. To help ensure that legitimate users’ passwords aren’t sent to Apple, a form of cryptographic private set intersection is deployed that compares the users’ passwords against a large set of leaked passwords. This is designed to ensure that for passwords less at risk of breach, little information is shared with Apple. For a user’s password, this information is limited to a 15-bit prefix of a cryptographic hash. The removal of the most frequently leaked passwords from this interactive process, using the local list of most commonly leaked passwords, reduces the delta in relative frequency of passwords in the web services buckets, making it impractical to infer user passwords from these lookups.»
(in short cutting through the bull-**** (excuse the french)) and is way faster and more secure of a system. Heres a link to apples website that explains it sort of well: Password Monitoring
Aug 10, 2021 3:11 AM
I have received this notification too although I use a password manager as well as having checked on HaveIbeenpawned and neither of them report a problem.
Some of these at least are clearly linked to the email address not the password.
I know this because about 4 years ago one of my email addresses was compromised in a data breach and that was reported to me by my password manager.
I retired the address and changed all the passwords associated with it.and it is mostly very old passwords I changed long ago associated with this email which are being flagged.
To be clear, the email is the same but the passwords are all different.
So I suggest you also check that the email address in the notification has not been compromised.
There are also a couple of other old passwords which are frankly a bit simple and just happen to be the same as ones leaked from someone else. I’m happy to say none of my very strong unique passwords created by a password generator have been leaked and that’s really the way you need to go.
Why Apple and not the other sites? I think Apple’s reach is bigger. Considering how many devices it has supplied and every one of them signs into their cloud for something. Find my phone, email, register a product, photos, music. All using their servers for something.
Aug 15, 2021 1:24 PM
Personally, I DO use Apple’s password generator, and have only a couple unused passwords from the distant past.
Again, I’m sure this is a valid issue, but I’m not completely confident about some of the suggested «cures».
Aug 15, 2021 2:49 PM
You make a very important point and I hadn’t picked up on that.
Definitely, sometimes when you get a notification saying a password has been compromised it’s a scam.
Same as when you get a pop-up saying your mac is full of malware. There was one someone posted here that looked very much like a scam
Similarly, be careful checking passwords. I think ‘Have I been Pawned’ is ok but there are sites that are collecting them so you may actually be giving them away when you enter them to be tested.
If your machine is compromised and has a keylogger installed, then changing your password will only give the baddies your new password so you need to occasionally run some anti-malware and Malwarebytes is respectable for the mac. You can run it for free.
So if you are getting notifications make sure they are really from Apple and you can do that by the following:
If you are on the phone then got to Settings>passwords and security alerts can be found there. (settings is the gearwheel if you aren’t sure)
If you are on the mac then in Safari, on the ‘Safari’ tab on the top left address bar go preferences>passwords and you’ll find a triangle next to any passwords they are flagging you about. which will give you more info when you click on it.
People should really use Keychain and allow it to generate strong, unique passwords.
Or a password manager if you want to use iOS and Android or Mac and Windows or if you want to use another browser other than Safari.
People worry about storing passwords in the cloud like in Keychain or a password manager, but if you have used them to log into something on the net then they are all out there stored in cyberspace anyway.
Where they are stored is less important than how difficult they are to get into and the sort of encryption and security Apple and the likes of Dashlane and 1password put into it is far greater than for the guy selling dogfood online working out of a broom cupboard, your dentist or even your lawyer!