Hoping someone from Auth0 can provide details here: How does breached password work under the hood?
-
How does Auth0 determine a breached ‘password’? Is it just matching an email address against a service like haveibeenpwned? If yes, it is not necessarily true that the user’s Auth0 creds are compromised … their Auth0 password may be different than the password from the breached service and we may be prompting a user to change their password unnecessarily,
-
If the ‘breached’ user does change their Auth0 password, does Auth0 remove them from the breached database or somehow track these users? I assume yes since otherwise the user will be re-prompted to change their password?