Data leak on an iPhone: How to view and fix leaked passwords

Tips & tricks
7 mins
Broken password field.

If you’re an iPhone user, you might have seen the notification about one of your passwords appearing in a data leak. While this sounds alarming, there’s no need to panic—it does not necessarily mean you are at risk. But it’s a good reminder to use strong, unique passwords on all your accounts.

What does a data leak mean on iPhones?

Users can store account credentials on their iPhones, including usernames and passwords. This makes logging in easier. From time to time, you’ll be alerted to one or more of your passwords having appeared in a data leak.

There is a lot of misunderstanding around the “data leak” warning on iPhones. The exact wording is: This password has appeared in a data leak.

What does it mean if my password has appeared in a data leak?

It does not mean your account was part of a data leak. It does not mean anyone has found out your password for that specific account. It means your exact password has appeared in some data leak somewhere, not necessarily related to the website or account your password is used on. 

For example, if your password for your Amazon account is “redsox2004”, and your iPhone informs you it has appeared in a data leak, this simply means that in publicly available account credentials covering various companies that were breached, “redsox2004” was on the list of passwords. So it’s likely that someone else was using the same password as you. (If you use a common password like “123456”, Apple will simply flag it as a weak password and prompt you to change it, no matching necessary.)

If you follow the news, you’ll know that companies are getting breached all the time. That’s potentially a lot of passwords that could coincide with one of your passwords. The chances can almost be described as certain, if your passwords aren’t complex or long.

So your account isn’t in immediate danger. But you should ideally take Apple’s advice and change your password to a stronger one. The reason being that your password is not the most secure, if it’s the same as someone else’s. Plus, now hackers are aware of this password as one to try on numerous accounts—making your account vulnerable.

How serious are data leaks?

While getting a notification about your password appearing in a data leak is not that serious, data leaks in general can be a massive risk for individuals, organizations, and even societies. However, the seriousness of data leaks varies widely. Hackers might have been able to extract valuable information, or they might have only gotten a hold of fairly useless data.

If information like your credit card number or account password is leaked, you must take action—such as closing those accounts—to prevent misuse of that information.

These are areas that might be affected by a data leak:

Privacy. Data leaks often result in the exposure of personal and sensitive information, such as names, addresses, phone numbers, social security numbers, financial details, or medical records. This can lead to identity theft, impersonation, fraud, or harassment. Data leaked from one source can be used as a starting point for social engineering attacks, where hackers manipulate individuals by leveraging their leaked information.

Financial loss. Stolen financial information, such as credit card numbers or bank account details, can be used to cause significant financial harm to individuals or organizations. It is also costly to try to recover losses, improve systems, and communicate the issue to customers.

Reputational damage. When sensitive information is compromised, it erodes trust and can lead to customer or client dissatisfaction, loss of business, and damage to brand reputation.

Legal and regulatory consequences. Depending on the jurisdiction and the nature of the data leaked, there may be legal and regulatory implications for organizations. Data protection laws, such as the General Data Protection Regulation (GDPR) in the European Union, impose significant penalties for mishandling or failing to adequately protect personal data.

National security risks. In some cases, data leaks can pose risks to national security, particularly when sensitive government or military information is exposed. 

Why did Apple send you a data leak notification?

To enhance your security, Apple compares the passwords you store on your iPhone against known leaked passwords to try to find matches. The company does this using methods that don’t reveal your passwords to Apple. All the processing happens on your device only.

The notifications are suggestions to change your password to a stronger one. You do not need to do anything if you don’t want to.

How to check compromised passwords on an iPhone or iPad

Follow these steps to see your compromised passwords.

  1. Open Settings
  2. Tap Passwords
  3. Tap Security Recommendations
  4. Toggle on Detect Compromised Passwords

You’ll now be shown the passwords you have that appeared in data leaks. Note that this does not mean a hacker has your account information (username and password for a given site or app); it just means your password matches one that was part of a data breach. But it suggests your password is weak and could be easily guessed.

Tap on an account, and you’ll be prompted to change your password on the relevant website. Choose a random, long one for the best security. You’ll have to do this one account at a time. This is also a good time to consider closing any accounts you don’t use any more.

Is an iPhone password data leak real?

Again, this can cause confusion but a notification on iPhone that your password was in a data leak does not mean your actual account details were leaked. It just means your password matched a password that was part of a data leak. 

So it’s not imperative that you change your password, but it is a good idea to do so, and to choose a unique, complex, random one.

As for the database of leaked passwords Apple is using, this is not information the company provides, but leaked passwords are publicly available if you do a search. You can enter a password into HaveIBeenPwned to check if it’s appeared in a data leak. For instance, inputting “redsox2004” reveals that it’s appeared in data leaks 7,192 times before.

How to manage your saved passwords on iPhone

When you sign up for accounts on websites or apps, iPhone detects that that’s what you’re doing and will offer to store your password. Your phone will also be able to fill in your password for you when you need to log in to an account.

To manage your passwords (i.e., change the password that’s been saved or delete it):

  1. Go to Settings
  2. Tap Passwords, where your saved passwords will be listed
  3. Tap the account you want to update
  4. Tap Edit
  5. Tap onto the User Name or Password and make changes. You may also add a note, update the website URL the login is associated with, or delete the login.

You don’t have to use your phone’s password storage though. There are various reasons to use a separate password manager, such as ExpressVPN Keys, which comes with every ExpressVPN subscription. One benefit is that you can easily sync passwords on different devices, if you use devices other than Apple. For instance, you can get ExpressVPN Keys on your iPhone and on your Windows computer (as a Chrome extension), and the passwords would be synced across those devices.

Another reason to use ExpressVPN Keys is our expertise in security (and our obsession with yours). If you already use ExpressVPN, it doesn’t cost you anything to also use Keys for storing your passwords and filling them in automatically.

How to protect your accounts against data leaks

While data breaches seem to happen so frequently that the situation can feel like it’s out of your control, there are practical steps you can take to prevent them from affecting you.

Use unique passwords. If a few of your accounts use the same email (as username) and password, a hacker who gets a hold of one set of credentials can try it on different accounts until they land on ones where it works. Ensuring your accounts all use different passwords will minimize the damage in case your password is leaked. A password generator can help you come up with strong, unique passwords—which should be stored in a password manager like ExpressVPN Keys.

Set up two-factor authentication. If you have two-factor authentication, logging in to your account will require more than just your username and passwords. You’ll be asked to input a one-time code, which you can have sent to your phone or email, or get it from an authenticator app. This means if your password is leaked, the attacker would still not be able to access your account.

Video: Best ways to store your passwords

Phone protected by ExpressVPN.
Privacy should be a choice. Choose ExpressVPN.

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
Vanessa is an editor of the blog.