A co-worker had opened a ticket on this. The response from Support indicates the following:
“Auth0 maintains a continuously-updated collection of breached credentials”
Implies Auth0 is maintaining their own breached credentials database as opposed to leveraging a 3rd party.
“changing your password is the only way to get off the Breached Password list”
As above, implies Auth0 is maintaining their own breached credentials DB, and they remove your username/email address/password from the breached credentials DB when you change your password.
“users are blocked because Auth0 has confirmed that the passwords of the user are leaked somewhere”
I’m curious to know whether this means, for every entry in the breached credentials DB, Auth0 actually has the breached password? In other words, is a “match”:
- “we found your username or email address in a list of breached accounts”, or
- “the actual username/email address + password you are using to log in to Auth0 is compromised”