This password has appeared in a data leak
“This password has appeared in a data leak” is a disturbing message that a number of iPhone and iPad users have been seeing lately in the Passwords menu of their Settings app. This alarming message has been a hot topic in Apple forums where people have been concerned about why they are getting it and what they should do about it.
If you have checked your iPhone or iPad’s passwords menu and you have found a warning telling you “This password has appeared in a data leak, which puts this account at high risk of compromise. You should change your password immediately” or another variant of the message warning you about “Easily guessed” or “Reused” password, then you should definitely take it seriously.
What this message basically indicates is that the password you are using for your account has been made publicly available on the webspace.
Why you are getting such a message in the first place?
Unfortunately, in this digital era, no one is fully protected against data leaks. Big and small businesses and their websites and servers are hacked all the time by active cybercriminals and people with malicious intentions. Known data leaks are typically stored in public databases that are available online. These databases allow you to manually search them for your passwords, see which websites have suffered data leaks, and even receive personal alerts about credential leaks related to your accounts.
But how does Apple know that your passwords have appeared in a data leak? Well, this is a new feature built into iOS 14 called “Security Recommendations” that monitors your passwords and notifies you if they are too weak, if you are reusing them, or if they show up in known data leaks.
In case you have just updated your iPhone or iPad to iOS14 or you are already using this iOS version, you can find the “Security Recommendations” feature in the Passwords menu of the Settings app.
On your iPhone, this feature can be turned ON and OFF when you go to Settings >>> Passwords >>> Security Recommendations>>> Detect Compromised Passwords.
When turned on, the service checks if any of the sites you have accounts on has been pwned, then checks the last date you updated your password. If the date of your last password update is older than the date when the site was pwned, then you’ll see a warning on your Apple device.
The new “Security Recommendations” feature does that monitoring automatically and matches your stored passwords against known databases with leaked passwords. If there’s a match, you’ll be alarmed by a “This password has appeared in a data leak,…” message.
The alert may be shown even if you don’t have a password leak of your specific account. For instance, if a 123456 password (a terrible password choice, by the way) has leaked online and you are using the same password for any of your accounts, you will get a warning message because the service compares your current password with the one that has become publicly available in known database leaks.
In any case, getting such a message is an indicator that your password’s strength may not be very reliable and you should better update it.
Users of iCloud Keychain may be greeted with a “This password has appeared in a data leak,…” or a similar security alert on all their synced devices, including iPhone, iPad, and Mac.
On your iPhone, you can customize the settings of your iCloud Keychain and change or remove passwords from Keychain by navigating to Settings >>> Passwords. All security recommendations and warnings related to your passwords will be visible there.
The most “high-risk” message of them all is the “This password has appeared in a data leak, …” message. Another warning message that may be displayed as a security recommendation may warn you if “You’re reusing this password on other websites”. If you scroll under “Other Recommendations” you may find a notification alerting you about “Easily guessed password”.
A single tap on each of the alerts will display more information about your login details for that particular website and the date of your last password update.
What actions should you take?
If you see any of these password warning messages, it is best to immediately change your password with one that is unique and strong enough. This will ensure that if your login credentials have become publicly available due to a data leak or have a chance to be breached due to being weak, once you update them, no one can use them to access your accounts.
Tips on password protection and best security practices
Your first concern if you see a “This password has appeared in a data leak,…” message should be how to protect your account from being accessed by other people. This can be done by creating a new password that:
- includes different symbols, numbers, and letters in a hard-to-guess combination
- has a minimum of twelve to fourteen characters
- is unique for that specific account and not used in other accounts
- does not contain real words or common phrases
- does not contain personal details about you that could be found elsewhere (such as name, birthday, etc.)
If you find it hard to create such a password, you can use iCloud Keychain or some other password manager of your choice to generate and save unique and complex passwords that can protect your accounts.
To change passwords on your iPhone, go to Settings >>> Passwords >>> Security Recommendations and select Change Password on Website.
A good security practice that can add an extra security layer to your account and help you avoid password breaches is to switch on a two-factor authentication function in your iPhone or iPad”. Here is how to do it:
- On the home screen tap on the “settings” option.
- Next, at the top of the setting screen tap on your name.
- Then, tap on “password and security”
- You will find the option “two-factor authentication”.
- Tap it to turn it ON.
Another tip that helps to keep your iPhone, iPad, or Mac safe is to regularly update all software that you are using. The majority of users are typically careless when it comes to app updates but this is one of the ways they lose their passwords in data leaks. Regular software updates are important for your online safety, thus, we recommend you set your applications to auto-update so that all the latest updates and security patches can be installed immediately after their release.
Also, it is a good idea to update the passwords of old and inactive accounts since these are the most common target of a password attack. You should not forget about them because people with malicious intentions can easily hack your login credentials and access sensitive data from those inactive accounts. If you don’t use an account and don’t plan on using it in the future, better deactivate or terminate it as another step towards your online protection.