Breached Password Protection details

Hoping someone from Auth0 can provide details here: How does breached password work under the hood?

  1. How does Auth0 determine a breached ‘password’? Is it just matching an email address against a service like haveibeenpwned? If yes, it is not necessarily true that the user’s Auth0 creds are compromised … their Auth0 password may be different than the password from the breached service and we may be prompting a user to change their password unnecessarily,

  2. If the ‘breached’ user does change their Auth0 password, does Auth0 remove them from the breached database or somehow track these users? I assume yes since otherwise the user will be re-prompted to change their password?

A co-worker had opened a ticket on this. The response from Support indicates the following:

“Auth0 maintains a continuously-updated collection of breached credentials”

Implies Auth0 is maintaining their own breached credentials database as opposed to leveraging a 3rd party.

“changing your password is the only way to get off the Breached Password list”

As above, implies Auth0 is maintaining their own breached credentials DB, and they remove your username/email address/password from the breached credentials DB when you change your password.

“users are blocked because Auth0 has confirmed that the passwords of the user are leaked somewhere”

I’m curious to know whether this means, for every entry in the breached credentials DB, Auth0 actually has the breached password? In other words, is a “match”:

  1. “we found your username or email address in a list of breached accounts”, or
  2. “the actual username/email address + password you are using to log in to Auth0 is compromised”