I received notification on my iPhone that my MSecure passwords have appeared in a data leak, putting those accounts at high risk etc.
Is this for real or a scam?
Thank you for contacting us. I'm not sure what you are referring to here, and if I'm understanding you correctly, we are not the ones sending the email you are referring to. Can you give me more information about what you see in that email? If it doesn't have any of your personal information in it, can you post the content of the email here?
I don't know anything about what either you are Nick are referring to here. To our knowledge, there has been no attempts and certainly no successful attempts at hacking into any of our systems. Also, the notification @Nick was referring to is not something we send out to our customers. It could very well be that a password he was using for one of his online accounts did appear in a data leak, but that doesn't mean any of our servers have been compromised. The passwords stored in mSecure are simply copies of the data you use to sign in to various online accounts. If an online account is hacked, that does not indicate any type of problem in mSecure. It simply means that some online account system on which he has/had an account experienced a data leak. I would have liked to have acquired more information, but I was not able to.
It is highly unlikely that you are experiencing 5 months later is related to what Nick experienced, so we need to address whatever it is you are seeing as it's on own, isolated problem. What is the message you saw? When you say "Google 'ios password notification'", what does that mean? What exactly did the message tell you?
Also, what do you mean when you say it took 4 tries for a password reset email to actually arrive? How did you go about changing your password? If you did that from the Settings of mSecure on one of your devices, the email that is sent after you change the password may not arrive for awhile, and you don't need to change the password more than one time. Did you change your password from mSecure's Settings, or did you perform an account reset from our website?
I'm not sure why your email is sounding combative, but that's ok, as I'm definitely here to help. I still don't understand why you are thinking the email you are receiving from Apple is related to mSecure. As long as I'm not misunderstanding you in some way, I believe I understand what both you and Nick described about the email you received from Apple. I was not trying to say I wasn't aware that Apple sends out these types of emails.
Also, I'm not trying to infer that you shouldn't trust Apple's security team. That would be absurd of me. They have billions of dollars to put towards anything they need to research, so I'm certain their teams are up to the task of keeping most anything safe and reporting when it isn't.
What I'm trying to do is explain to you how mSecure works and at the same time get information I need to try to figure out what's happening. You and Nick are the only customers that have reported anything of this nature. That's 2 customers in 5 months. The problem is, I still don't understand what it is you received. Can you provide me more information about the email that was sent to you? We have not received any email like you are talking about. As mentioned above, other customers have not sent in similar requests. I wasn't able to get more information from Nick, so I don't have any idea what it is you have actually received. I want to understand what you are receiving, because if there is a problem with something in mSecure, we would want to fix it as quickly as possible. If there is a problem, however, we can't fix it until we know what the problem is.
As I said in my last post, to our knowledge, nothing in our servers has been compromised, and we have systems in place to alert us to these types of problems. Even though we have monitors for this type of thing, I still don't want to dismiss what you have received. Would you like to help me understand more of what you're talking about here? If so, I need to ask what might be a lot of questions about the email you received.
With regards to the password change, I just checked the account that's associated with the email address you're using here in the forum, and there was no sign of the account reset you are describing. When you change your password in the app's settings, you don't get an email sent to you asking you to click on a link to start any type of process. That email is only sent when you are fully resetting your account. When you update your password from mSecure's settings, you will receive an email with an updated QR code for authenticating as the owner of the account, but there is no email sent out that you need to interact with in order to change the password. Are you trying to reset a different account by chance?
Also, I checked the account reset system, and the emails are getting sent as they should be. As I mentioned before, it can take some time before the email arrives, but it shouldn't be longer than about 30 seconds or so. This is another issue we haven't had other customers report, so I can't tell you right now if it's a widespread problem or not. I can tell you that when problems are widespread, many, many customers report the issue.
Thank you for the screenshot. That's exactly what I was hoping to get from either you or Nick. I have not seen this message before, so it's what I needed to help me move forward in figuring out what is causing the message to be generated in iOS.
I'm still not sure why things have become as combative as they have, but I am here to help and try to figure out what's going on. If something on our end needs to be addressed, it will be addressed. We are always thankful for what our users report to us, because it helps to know when we are unaware of what is happening on their devices. We're not seeing this on our devices, and Apple has not alerted us about this issue, so all we can do is ask for information from our customers. Now that I have one screenshot from you, can start a better investigation of what's going on, as a simple Google search didn't help me find what I needed yesterday.
By the way, I see that you have sent in an email to our support team, and it's made it has way to my inbox. We'll continue the discussion there via email unless you would rather continue posting here in the support forum.
Same notification here. It appears that every account on mSecure is in the list.
Same alert here from Apple. When I go down the list, it appears to be a list of things I kept on mSecure, which is the only place I had all of those stored.
Thank you for contacting us about the message you are seeing in iOS's Security Settings. If I understand what's happening, you are using the iOS Password AutoFill feature, and iOS is alerting you to the fact that a password used for mSecure has been compromised. This is a terribly difficult topic to discuss, due to the way Apple has decided to display the issues it finds in the security recommendations.
What's happening is there is a password you are using for some type of service related to mSecure's domain - msecure.com. Typically, this will be a password associated with your forum account, but it could also be getting displayed if you used the account reset feature on our website. With regards to the msecure.com domain, only the forum and the account reset page will ask you to enter a password in your web browser, and when that happens, iOS can ask you if you would like to save that password for later use. Once the password is in iOS's system, it then gets cross-referenced against password leaks on various sites across the internet. If the password you used matches a password that has been compromised, iOS will show you in the Security Recommendations screen. To be clear, all it means is the service Apple has created has found your password to have been used in a different service who's system has been compromised in some way. It could be a data leak, it could be a hacker stealing information, or it could be something else that exposes information stored on their system. But it doesn't necessarily mean that mSecure's system was compromised.
It's also possible that your password was entered into the iOS Password AutoFill feature after entering it into the mSecure app. If that's the case, then if the password you use for your mSecure account was found on a compromised password list, you would see this notification in iOS's Security Recommendation screen.
To be very clear, it does not mean the mSecure account system has been compromised, which is what others have been afraid of. The mSecure app connects to an online system, which is secure and has not been compromised.
One thing to mention here, the way mSecure protects your information was designed to account for data breaches. Since your information is encrypted with a very long, and very strong, randomly generated account key, if our system was compromised, then the only thing that would be available to anyone who got access to the information would be a bunch of strongly encrypted data. The only way to decrypt that data would be to use "brute force" attacks, which would take many, many years to find the right combination of characters to unlock any information stored in the mSecure Cloud. For more information on how data is protected by mSecure, you can look at this article on our support site: mSecure’s Security Model - Secure by design
I hope I was able to answer the question(s) you have about this. If not, please let me know.