Facebook leaking old passwords
I never wrote this down but I just remembered that this happened to me a long time ago when I was still using Facebook. One day I tried to log in and after letting my browser auto-fill my password I was greeted with a message along the lines of:
Invalid password! Please note that you changed your password 3 weeks ago.
Sure it was useful because it reminded me that I changed my password and the correct password is now in my password manager instead but why would you do this from the security standpoint? Why did you just confirm to the attacker that the username is correct? Why do you still store the old password in any way? If someone changed their password because it got leaked then you just confirmed to the attacker that this password was real and they should try it with other services. Let's not lie to ourselves, 99% of people just use a single password for everything.
I also saw the same thing on other websites so Facebook isn't alone in this. Maybe the downsides are worth the better user experience, I don't know.