This is going to sound wild.

My friend Edwin was ordering products off of the Ghost Energy app and when he went to proceed with logging into PayPal to pay, the iOS Keychain suggestion popped up from the bottom of the screen with Alex’s personal email listed as an autofilled email. He was able to click on it to continue and it auto filled Alex’s PayPal information. He immediately backed out and went to checked the Passwords section of the Settings app, he was able to see all of his own saved passwords AND Alex’s as well which added over 150+ additional passwords/logins. How on earth can this happen? This is what we know and have confirmed:

  • They are not sharing location, in a family sharing group, or sharing any passwords between them.

  • They have not ever logged into anything on one another’s phones.

  • They have never sent any links to one another from the Ghost Energy app.

  • Alex has never sent Edwin his personal email ever.

  • They have never sent or received files/media through the close proximity file transfer feature from iPhone to iPhone.

Any insight would be greatly appreciated. I am a long time Mac/iPhone user and have never seen anything like it.

Update: Forgot to add we have a screen recording of Edwin recreating the whole situation but we are not quite nerdy enough to blur out all the personal information shown.

  • pezdalB
    link
    fedilink
    English
    arrow-up
    1
    ·
    11 months ago

    Have they ever plugged into the same Mac (at different times)?

    What IOS versions are they each running?

    Are they using a third party password manager?

    Are either or both developers or hackers?

    I can’t think of anything else, other than perhaps they are pranking you?

  • SLJ7B
    link
    fedilink
    English
    arrow-up
    1
    ·
    11 months ago

    Have both of them add a new password to their saved passwords and find out if it shows up on the other’s phone. If it does, that’s a big problem but at least it can be traced. If not, it means that some saved passwords migrated to Edwin’s phone for some reason, but it’s not being actively synced.

    Someone had to have signed into iCloud and then keychain on the wrong account. That’s been end-to-end encrypted since day 1. I just can’t see a way this would have happened otherwise. You can’t airdrop an entire keychain and I think family sharing of passwords is recent, plus you said they’re not in family sharing. And this has nothing at all to do with the Ghost Energy app either.

    Keep us posted.

  • pezdalB
    link
    fedilink
    English
    arrow-up
    1
    ·
    11 months ago

    There is a feature in Settings in iOS 17 (and maybe earlier) called AirDrop Passwords.

    Maybe they were screwing around with this?

    Is it possible one friend had access to the other’s phone and transferred them (by accident playing around or otherwise) and is lying now to protect himself?

    • Z3ROS1XB
      link
      fedilink
      English
      arrow-up
      1
      ·
      11 months ago

      This is what I was as thinking, AirDrop Passwords. That has to be what happened.