Password breach message. Anyone else on here had one?

I'm still interested in how this works. Do they tell you which password it is? Are they saying you have used that same password for 170+ websites? (At one time or another)
No. Most were different passwords. They didn’t tell me the password, just that passwords used on that site had been compromised.
 
This is the iPhone message, I believe:

1711475283146.png


FWIW, this is what I think it means in practice.

Say you use the password Password1 for diynot, and somebody else uses Password1 for screwfix.

Then screwfix gets hacked, and Password1 appears on a list of compromised passwords. As a result, you get a warning that your password has appeared in a data leak. But it doesn't necessarily mean that diynot has been hacked. Does anyone have a view?
 
Jonathan is correct

What it means is your phone knows that you use a password that is known to have been revealed to the Internet through some data breach.

It does not mean one of your accounts was involved, just that you have picked a password for some site that is already a known word to the hacker community

If you only ever used decent passwords like "ABDaIRkemIeSTRoboSpULEsquATiBlEV" and every site you use has a different password, and your phone told you that one had been involved in a breach then you'd be well advised not only to change it sharpish but carefully examine how they might have got it (virus on your PC? Compromise of their system and they don't store passwords salted and hashed)

If your phone is telling you you used "bbc123" for your player account and that was involved in a breach it's something you should change if you really care about the account it's on - eg if it's also your banking password, but it would be reasonable to assume that it wasn't necessarily your account or devices that were compromised


Consider using a password manager that generates good passwords and have just one decent master password for getting into - I like to use a line of lyrics from a song - length is more important than character variation
 
How do Password Managers work? I can understand a manager remembering a password if only one device is used. But how does it work if I want to open an app using a different device and browser?
 
How do Password Managers work? I can understand a manager remembering a password if only one device is used. But how does it work if I want to open an app using a different device and browser?
Depends on the manager. A web based one like LastPass will have an app or browser extension; you sign into the app/extension then on sites you visit where it knows the password it offers to fill it in for you. You typically use the password manager to generate you new passwords when you sign up to things so every site has a different, secure password.
Other, more manual variations exist where you sign into the manager then use copy paste to put passwords etc in. Some managers, particularly on desktop PCs will type passwords as a way of getting them across so they work with anything (they literally raise the same set of internal events as you do when you press keys on the keyboard so the computer thinks it's you typing, so they'll type out the username one key at a time like a human would, "press" tab to move to the password field, type out the password, "press" return etc

Some password managers can be taught how to generate 2FA codes too so they become a one stop shop for your login requirements though that does bring with it some element of risk that it's no longer "2 factors" in 2FA

Naturally the access details to log into the password manager are critical to keep secure, so make the password for that a good one, use 2FA on it and ensure that you keep the recovery details secure. Also perhaps a good idea to tell a next of kin how to get into it
 
Back
Top