Compromised Password Alert
Mass Audubon has received some user inquiries regarding compromised password notifications that were received while logging into Mass Audubon’s program registration system via a mobile device. The notification indicates that the password may be compromised and should be reset immediately.
Mass Audubon does not share user credentials and this notification is not an indicator that Mass Audubon was breached. At this time, Mass Audubon has determined that none of its internal systems have been compromised and no intrusion has occurred. Further, this notification only applies to Apple device users operating on iOS 14.
With the release of iOS 14, a new feature was introduced that notifies users when their stored passwords have been compromised. To do this, Safari uses strong cryptographic techniques to regularly check derivations of passwords against a list of breached passwords in a secure and private way that doesn’t reveal the user’s password information to the website they are trying to log into or even to Apple.
Why A User Would Receive This Notification
If a user receives this notification while attempting to log into Mass Audubon's program registration system, it could be an indicator that iOS 14’s algorithm has compared the password the user entered against a breached-password database and has determined that its likely the password has been compromised in the past. Mass Audubon does not share client or user information with Apple and has no way of knowing how or why the password is flagged.
Out of an abundance of caution, Mass Audubon recommends that users that receive this notification select "Not Now" and go directly to massaudubon.org/register/login and enter your email address, click "submit" and then click "set or reset your password" to request a password reset email. Do not change your password through the "Change Password on Website" option as you may be directed to the wrong place.
For more information go to Settings > Passwords > Security Recommendations on your iOS 14 device. If an account has a weak or compromised password, a message explains the problem.