Your iCloud password could be newly exposed from a giant password leak

Jump to First Reply
AppleInsiderAppleInsider
Posted:
in General Discussion

A breach exposing 184 million passwords includes Apple login credentials used across iPhone and Mac computers.

Blue background with white computer code forming the shape of a human skull in the center, symbolizing cybersecurity threats.
Suspected infostealer malware



On May 22, 2025, cybersecurity researcher Jeremiah Fowler reported the discovery of a massive unprotected database containing more than 184 million usernames and passwords. The 47-gigabyte Elasticsearch server was publicly accessible and not secured by a password or encryption.

The exposed credentials covered accounts from at least 29 countries and included login details for widely used platforms such as Facebook, Google, Microsoft, and Apple. Fowler's original disclosure on Website Planet didn't list Apple services by name -- but iCloud logins are present, following inspection.

However, a Wired investigation based on a sample of 10,000 records confirmed the presence of Apple, iCloud, and other major services in the dataset.

The database was quickly taken offline after Fowler alerted the hosting provider, World Host Group. The owner of the database remains unknown, and it's unclear how long the data was exposed or whether it had already been accessed by malicious actors.

Why this matters for Apple users



Although Apple's systems weren't breached, users whose Apple ID credentials were reused on other sites are now at elevated risk. Infostealer malware, which is software designed to siphon saved credentials from browsers and apps, appears to have compiled the leaked data.

Once attackers gain access to one reused password, they can attempt to log into other services, including Apple ID accounts. The breach sample included hundreds of Apple login entries. Given the size of the full data set, it's likely that thousands of Apple credentials were included.

Apple accounts are high-value targets because of their integration with payment methods, iCloud backups, and device tracking features. If compromised, attackers may attempt identity theft, gain access to photos or emails, or remotely lock and erase Apple devices.

What we still don't know



Fowler hasn't identified who collected or stored the leaked credentials. It's also unknown how long the Elasticsearch server was online or whether threat actors accessed it before it was secured. The hosting provider hasn't disclosed its customer's identity.

Smartphone screen displaying 'Shared Passwords and Passkeys' with options to add trusted contacts and choose what to share.
Use Apple's Passwords app



Apple has not issued a public response to the breach as of this writing. The company's built-in security features, such as Sign in with Apple and iCloud Keychain, reduce the risks associated with password reuse.

Still, they can't protect users who reuse credentials across multiple platforms or fall for phishing attempts.

What Apple users should do now



Change your Apple ID password immediately, especially if you've used the same password on other sites. It's important to use a long, unique password that isn't easily guessed to enhance your account's security.

Additionally, enable two-factor authentication (2FA) if it's not already active. Apple recommends this extra layer of security for all accounts, and you can turn it on through Settings or at account.apple.com.

Next, consider using Apple Passwords or a trusted password manager to create and store unique passwords for each site or app. This practice helps avoid reusing the same credentials across services, which can compromise your security.

Smartphone displaying email privacy settings titled 'Hide my email' with an iCloud address and note options, resting on a brown leather surface.
Apple also has a Hide My Email service



Using Apple's Hide My Email service as part of the iCloud+ subscription offers another layer of security for online accounts. It lets you create a unique email alias for every account that forwards emails to your Apple ID email. You can deactivate them at any time.

Furthermore, check if your credentials were part of a breach using tools like Have I Been Pwned. Even if your Apple ID wasn't listed, breaches elsewhere could still affect you through reused passwords.

Review your iCloud and Apple account settings by going to Settings, Apple ID, Password & Security. Here, you can review login locations, trusted devices, and recovery methods to ensure everything is secure.

It's also crucial to monitor your email and app login alerts for suspicious activity, including sign-ins from unknown devices or locations. Last, be vigilant for phishing attempts.

If attackers know your email and past passwords, they may create convincing fake emails to trick you into entering your Apple ID credentials on spoofed pages.



Read on AppleInsider

Comments

  • Reply 1 of 9
    SiTimesitime Posts: 95member
    Thank you for the heads up. I’ll be changing Apple ID password right away. Thankfully my Apple ID password is unique (as are all of my passwords).

    I also use iCloud+ to generate unique emails for everything (as suggested in this article). So that also should limit any potential issues.

    Edit: Done. Thank you again. Seems like I might need to change Google passwords as well. So that’ll be next. Then Microsoft after that. Then… I don’t know. What else? lol
    edited May 22
    appleinsideruser
     0Likes 1Dislike 0Informatives
  • Reply 2 of 9
    netroxnetrox Posts: 1,578member
    I don't get it - passwords should ALWAYS be hashed and salted. How can passwords be exposed? Are they still using plaintext? Surely, it cannot be with Meta, Apple, Google, they already know never to hold passwords in plaintext. 

    You cannot use hashed passwords to authenticate. 


    Toroidal
     1Like 0Dislikes 0Informatives
  • Reply 3 of 9
    WilliamMwilliamm Posts: 32member
    netrox said:
    I don't get it - passwords should ALWAYS be hashed and salted. How can passwords be exposed? Are they still using plaintext? Surely, it cannot be with Meta, Apple, Google, they already know never to hold passwords in plaintext. 

    You cannot use hashed passwords to authenticate. 
    Infostealer malware, which is software designed to siphon saved credentials from browsers and apps, appears to have compiled the leaked data.
    If this is correct the passwords were not taken from the servers but from users' computers.

    Some websites now offer the use of passkeys as an alternative to passwords. Can anyone advise if passkeys are more resistant to this type of theft than passwords? 
    watto_cobra
     1Like 0Dislikes 0Informatives
  • Reply 4 of 9
    randominternetpersonrandominternetperson Posts: 3,289member
    netrox said:
    I don't get it - passwords should ALWAYS be hashed and salted. How can passwords be exposed? Are they still using plaintext? Surely, it cannot be with Meta, Apple, Google, they already know never to hold passwords in plaintext. 

    You cannot use hashed passwords to authenticate. 


    Excellent question/point. Conceivably these are the result of a massive brute force effort, I suppose. Once you get a hit, you know the password for an account even if only the hash was stored on the backend.
    FileMakerFellerwatto_cobra
     2Likes 0Dislikes 0Informatives
  • Reply 5 of 9
    Marvinmarvin Posts: 15,585moderator
    randominternetperson said:
    netrox said:
    I don't get it - passwords should ALWAYS be hashed and salted. How can passwords be exposed? Are they still using plaintext? Surely, it cannot be with Meta, Apple, Google, they already know never to hold passwords in plaintext. 

    You cannot use hashed passwords to authenticate. 
    Excellent question/point. Conceivably these are the result of a massive brute force effort, I suppose. Once you get a hit, you know the password for an account even if only the hash was stored on the backend.
    At this scale, phishing is more likely. One way they do it is compromise a server and send mass emails that look like they are from Apple, Google, Microsoft etc, like this:



    Some users will click the link and login and they get user id and password in plain text, which will get stored in a database.

    It could also be from a legitimate web service that allows logging in via 3rd party services where they haven't bothered to implement the APIs properly and instead put up a standard login that stores everything in plain text.

    Passkeys will eventually make this a thing of the past and these security breaches serve as a reminder why it's important to use them instead.
    FileMakerFellerwatto_cobra
     2Likes 0Dislikes 0Informatives
  • Reply 6 of 9
    Spridsprid Posts: 1member
    netrox said:
    I don't get it - passwords should ALWAYS be hashed and salted. How can passwords be exposed? Are they still using plaintext? Surely, it cannot be with Meta, Apple, Google, they already know never to hold passwords in plaintext. 

    You cannot use hashed passwords to authenticate. 


    I read this as "A database of password collected by a hacker was leaked".  They didn't come from apple. Someone nefarious collected them and then stored them.  That stored collection was then found by someone else (who subsequently reported it).  The unsavory person probably doesn't care much about best practices when storing passwords.
    watto_cobra
     1Like 0Dislikes 0Informatives
  • Reply 7 of 9
    AppleZuluapplezulu Posts: 2,535member
    Help me out here. If I understand this bit from the article correctly

    "Although Apple's systems weren't breached, users whose Apple ID credentials were reused on other sites are now at elevated risk. Infostealer malware, which is software designed to siphon saved credentials from browsers and apps, appears to have compiled the leaked data,"

    We're not actually talking about a compromise of iCloud credentials, but of a compromise of     credentials from other websites, with the vulnerability only affecting iCloud credentials if you reused your iCloud credentials for logging into other websites. Do I have that right? This would mean that if you're not in the habit of reusing passwords (and specifically your iCloud password), this should not affect you, yes?
    StrangeDayswatto_cobra
     2Likes 0Dislikes 0Informatives
  • Reply 8 of 9
    StrangeDaysstrangedays Posts: 13,215member
    SiTime said:
    Thank you for the heads up. I’ll be changing Apple ID password right away. Thankfully my Apple ID password is unique (as are all of my passwords).

    I also use iCloud+ to generate unique emails for everything (as suggested in this article). So that also should limit any potential issues.

    Edit: Done. Thank you again. Seems like I might need to change Google passwords as well. So that’ll be next. Then Microsoft after that. Then… I don’t know. What else? lol
    If you’re using unique passwords your Apple ID is safe, because nobody breached Apple. They collected these credentials from elsewhere. The risk is for people who reuse the same email + pw combo for things like their Apple ID too. 
    watto_cobra
     1Like 0Dislikes 0Informatives
  • Reply 9 of 9
    StrangeDaysstrangedays Posts: 13,215member

    AppleZulu said:
    Help me out here. If I understand this bit from the article correctly

    "Although Apple's systems weren't breached, users whose Apple ID credentials were reused on other sites are now at elevated risk. Infostealer malware, which is software designed to siphon saved credentials from browsers and apps, appears to have compiled the leaked data,"

    We're not actually talking about a compromise of iCloud credentials, but of a compromise of credentials from other websites, with the vulnerability only affecting iCloud credentials if you reused your iCloud credentials for logging into other websites. Do I have that right? This would mean that if you're not in the habit of reusing passwords (and specifically your iCloud password), this should not affect you, yes?
    Correct. 
    watto_cobra
     1Like 0Dislikes 0Informatives
Sign In or Register to comment.