Facebook leaking old passwords
I never wrote this down but I just remembered that this happened to me in the past. A very long time ago I was a user of a website called Facebook. One day I tried to log in and after letting my browser auto-fill my password I was greeted with a message along the lines of:
Invalid password! Please note that changed your password 3 weeks ago.
What the fuck!
Sure it was useful because it reminded me that I changed my password and the correct password is now in my password manager instead but why would you do this from the security standpoint?! Why did you just confirm to the attacker that the username is correct?! Why do you still store the old password in any way?! If someone changed their password because it got leaked then you just confirmed to the attacker that this password was real and they should try it with other services! Yes, don't lie to yourselves 99% of people just use a single password for everything.
Whan an absurd feature. I also saw the same thing on other websites just to be clear.