Shocking, I know. Barracuda Labs has a good catch up on their blog. Apparently, Facebook and Google save old passwords, and can leak them under certain circumstances during login attempts. Check out their entire post here . Why is this information being saved?