-
Happy Birthday ICMag! Been 20 years since Gypsy Nirvana created the forum! We are celebrating with a 4/20 Giveaway and by launching a new Patreon tier called "420club". You can read more here.
-
Important notice: ICMag's T.O.U. has been updated. Please review it here. For your convenience, it is also available in the main forum menu, under 'Quick Links"!
iPhone says ICmag was just now compromised and my password needs to be changed?
- Thread starter thailer
- Start date
odd - I have not seen this one before - the security certificate is current and working today - so should be no problem -
thailer
Well-known member
i am curious if any other iphone users got the same notification? i use the same email and password for another cannabis forum, but i haven't logged into that website on my iphone for a long time and it isn't listed on my password manager on iphone. i just went to that forum and i don't see anyone else posting about it.
its just a throwaway email and password used just for these two accounts i have. the icmag info is saved in my phone and not the other forum tho.
its just a throwaway email and password used just for these two accounts i have. the icmag info is saved in my phone and not the other forum tho.
- Hmm - just change ya password - for peace of mind - you should do that regularly anyway with any password you have - for any site -
Switcher56
Comfortably numb!
I'll bet you dollar to doughnuts you have been compromised somehow. Remember, the Iphone is known to be attacked, almost on a daily basis looking for vulnerabilities. FWIW, I don't allow my electronics to save anything, and my phone is simply for making calls.
thailer
Well-known member
Of all the saved passwords, why just ICmag?
my email password that I use for the email I signed up with for ICmag is different than the one I use to login for ICmag. I wonder if the password I used to sign in to ICmag is so easy for someone else to think of that it was found in some data leak yet it’s not involving myself. Like there’s more than one John Smith.
my email password that I use for the email I signed up with for ICmag is different than the one I use to login for ICmag. I wonder if the password I used to sign in to ICmag is so easy for someone else to think of that it was found in some data leak yet it’s not involving myself. Like there’s more than one John Smith.
thailer
Well-known member
In Settings under Passwords, does it have the info saved? I think that is how I got the notification it was compromised. Or do you enter it every time you login on your iPhone?
This Apple security feature has also been known to give 'false' warnings. It not only compares your mailaccounts against know database leaks but also the password you're using.
For example, if somebody used the same password as you for an emailaccount and that mailaccount got compromised then both the mailaccount and password are registered as compromised.
https://macresearch.org/this-passwor...n-a-data-leak/
The alert may be shown even if you don’t have a password leak of your specific account. For instance, if a 123456 password (a terrible password choice, by the way) has leaked online and you are using the same password for any of your accounts, you will get a warning message because the service compares your current password with the one that has become publicly available in known database leaks.
You said you already checked your mailaccount on 'Have I been Hacked'. That's a very good reflex. If your mail doesn't pop up then don't worry to much. It's probably just then that the same password you're using has been compromised on somebody others mailaccount.
Best is to just change all your password and to regularly check your mailaccount if it's not compromised on any of those check websites.
For example, if somebody used the same password as you for an emailaccount and that mailaccount got compromised then both the mailaccount and password are registered as compromised.
https://macresearch.org/this-passwor...n-a-data-leak/
The alert may be shown even if you don’t have a password leak of your specific account. For instance, if a 123456 password (a terrible password choice, by the way) has leaked online and you are using the same password for any of your accounts, you will get a warning message because the service compares your current password with the one that has become publicly available in known database leaks.
You said you already checked your mailaccount on 'Have I been Hacked'. That's a very good reflex. If your mail doesn't pop up then don't worry to much. It's probably just then that the same password you're using has been compromised on somebody others mailaccount.
Best is to just change all your password and to regularly check your mailaccount if it's not compromised on any of those check websites.
thailer
Well-known member
Well I changed my password for the email and this website. Then I setup two factor auth on that email. My other emails already have that setup. I am also setting up two factor auth on the other forum also which offers it as well as disabling IP address information associated with my posts for good measure. Other websites say my phone and email are not compromised. The password notification on my iPhone comes from something called keychain that sounds like it keeps my passwords encrypted similar to those password managers that check for data leaks and even I need my fingerprint biometric to see the info on my phone.
if I get any other info that other information has been compromised I will report back but with all due respect because I know you’ve taken a lot of time to secure this site, I think it’s the website itself where the info was gained. I don’t have a lot of knowledge tho about how that all works. I just use different passwords for my different accounts and follow general safety advice.
if I get any other info that other information has been compromised I will report back but with all due respect because I know you’ve taken a lot of time to secure this site, I think it’s the website itself where the info was gained. I don’t have a lot of knowledge tho about how that all works. I just use different passwords for my different accounts and follow general safety advice.
Had password saved in settings u til about 3 months ago when I removed the tracking your journey setting and a few others but up until then I never had a problem,,,
- it is simple - dont have a simple password -
Wall of words from https://support.apple.com/guide/secu...c78e79fc3b/web
Password Monitoring
Password Monitoring is a feature that matches passwords stored in the user’s Password AutoFill keychain against a continuously updated and curated list of passwords known to have been exposed in leaks from different online organizations. If the feature is turned on, the monitoring protocol continuously matches the user’s Password AutoFill keychain passwords against the curated list.
How monitoring works
The user’s device continuously performs round robin checks on a user’s passwords, querying on an interval that’s independent of the user’s passwords. This helps ensure that verification states remain up to date with the current curated list of leaked passwords. To help prevent leakage of information related to how many unique passwords a user has, requests are batched and performed in parallel. A fixed number of passwords are verified in parallel on each check, and should the user have fewer than this number, random passwords are generated and added to the queries to make up the difference.
How passwords are matched
Passwords are matched in a two-part process. The most commonly leaked passwords are contained within a local list on the user’s device. If the user’s password occurs on this list, the user is immediately notified without any external interaction. This is designed to ensure that no information is leaked about the passwords a user has that are most at risk due to a password breach.
If the password isn’t contained on the most frequent list, it’s matched against less frequently leaked passwords.
Comparing users’ passwords against a curated list
To verify whether a password not present in the local list is a match involves some interaction with Apple servers. To help ensure that legitimate users’ passwords aren’t sent to Apple, a form of cryptographic private set intersection is deployed that compares the users’ passwords against a large set of leaked passwords. This is designed to ensure that for passwords less at risk of breach, little information is shared with Apple. For a user’s password, this information is limited to a 15-bit prefix of a cryptographic hash. The removal of the most frequently leaked passwords from this interactive process, using the local list of most commonly leaked passwords, reduces the delta in relative frequency of passwords in the web services buckets, making it impractical to infer user passwords from these lookups.
The underlying protocol partitions the list of curated passwords, which contained approximately 1.5 billion passwords at the time of this writing, into 2[SUP]15[/SUP] different buckets. The bucket a password belongs to is based on the first 15 bits of the SHA256 hash value of the password. Additionally, each leaked password, pw, is associated with an elliptic curve point on the NIST P256 curve: P[SUB]pw[/SUB] = ⍺·H[SUB]SWU[/SUB](pw), where ⍺ is a secret random key known only to Apple and H[SUB]SWU[/SUB] is a random oracle function that maps passwords to curve points based on the Shallue-van de Woestijne-Ulas method. This transformation is designed to computationally hide the values of passwords and helps prevent revealing newly leaked passwords through Password Monitoring.
To compute the private set intersection, the user’s device determines the bucket the user’s password belongs to using λ, the 15-bit prefix of SHA256(upw), where upw is one of the user’s loop passwords. The device generates their own random constant, β, and sends the point P[SUB]c[/SUB] = β·H[SUB]SWU[/SUB](upw) to the server, along with a request for the bucket corresponding to λ. Here β hides information about the user’s password and limits to λ the information exposed from the password to Apple. Finally, the server takes the point sent by the user’s device, computes ⍺P[SUB]c[/SUB] = ⍺β·H[SUB]SWU[/SUB](upw), and returns it, along with the appropriate bucket of points—Bλ = { P[SUB]pw[/SUB] | SHA256(pw) begins with prefix λ}—to the device.
The returned information allows the device to compute B’[SUB]λ[/SUB] = {β·P[SUB]pw[/SUB] | P[SUB]pw[/SUB] ∈ B[SUB]λ[/SUB]}, and ascertains that the user’s password has been leaked if ⍺P[SUB]c[/SUB] ∈ B'[SUB]λ[/SUB].
Password Monitoring
Password Monitoring is a feature that matches passwords stored in the user’s Password AutoFill keychain against a continuously updated and curated list of passwords known to have been exposed in leaks from different online organizations. If the feature is turned on, the monitoring protocol continuously matches the user’s Password AutoFill keychain passwords against the curated list.
How monitoring works
The user’s device continuously performs round robin checks on a user’s passwords, querying on an interval that’s independent of the user’s passwords. This helps ensure that verification states remain up to date with the current curated list of leaked passwords. To help prevent leakage of information related to how many unique passwords a user has, requests are batched and performed in parallel. A fixed number of passwords are verified in parallel on each check, and should the user have fewer than this number, random passwords are generated and added to the queries to make up the difference.
How passwords are matched
Passwords are matched in a two-part process. The most commonly leaked passwords are contained within a local list on the user’s device. If the user’s password occurs on this list, the user is immediately notified without any external interaction. This is designed to ensure that no information is leaked about the passwords a user has that are most at risk due to a password breach.
If the password isn’t contained on the most frequent list, it’s matched against less frequently leaked passwords.
Comparing users’ passwords against a curated list
To verify whether a password not present in the local list is a match involves some interaction with Apple servers. To help ensure that legitimate users’ passwords aren’t sent to Apple, a form of cryptographic private set intersection is deployed that compares the users’ passwords against a large set of leaked passwords. This is designed to ensure that for passwords less at risk of breach, little information is shared with Apple. For a user’s password, this information is limited to a 15-bit prefix of a cryptographic hash. The removal of the most frequently leaked passwords from this interactive process, using the local list of most commonly leaked passwords, reduces the delta in relative frequency of passwords in the web services buckets, making it impractical to infer user passwords from these lookups.
The underlying protocol partitions the list of curated passwords, which contained approximately 1.5 billion passwords at the time of this writing, into 2[SUP]15[/SUP] different buckets. The bucket a password belongs to is based on the first 15 bits of the SHA256 hash value of the password. Additionally, each leaked password, pw, is associated with an elliptic curve point on the NIST P256 curve: P[SUB]pw[/SUB] = ⍺·H[SUB]SWU[/SUB](pw), where ⍺ is a secret random key known only to Apple and H[SUB]SWU[/SUB] is a random oracle function that maps passwords to curve points based on the Shallue-van de Woestijne-Ulas method. This transformation is designed to computationally hide the values of passwords and helps prevent revealing newly leaked passwords through Password Monitoring.
To compute the private set intersection, the user’s device determines the bucket the user’s password belongs to using λ, the 15-bit prefix of SHA256(upw), where upw is one of the user’s loop passwords. The device generates their own random constant, β, and sends the point P[SUB]c[/SUB] = β·H[SUB]SWU[/SUB](upw) to the server, along with a request for the bucket corresponding to λ. Here β hides information about the user’s password and limits to λ the information exposed from the password to Apple. Finally, the server takes the point sent by the user’s device, computes ⍺P[SUB]c[/SUB] = ⍺β·H[SUB]SWU[/SUB](upw), and returns it, along with the appropriate bucket of points—Bλ = { P[SUB]pw[/SUB] | SHA256(pw) begins with prefix λ}—to the device.
The returned information allows the device to compute B’[SUB]λ[/SUB] = {β·P[SUB]pw[/SUB] | P[SUB]pw[/SUB] ∈ B[SUB]λ[/SUB]}, and ascertains that the user’s password has been leaked if ⍺P[SUB]c[/SUB] ∈ B'[SUB]λ[/SUB].
