Have you checked the passwords.google.com page? If you have a Google account, it’s the passwords that you’ve supposedly allowed Google to remember for you.
In my case, I have a very limited list, and it’s so old that I don’t even remember letting Google remember them. I most probably accepted this on an Android phone, hoping that the system would store them in a secure way.
However, these are still valid passwords that are poorly protected:
- If you don’t have Two-Factor-Authentication (2FA), and your Google password is compromised (all the more likely if you use the same password everywhere!), crackers should be able to get access to stored passwords easily (I haven’t checked though, as I’m using 2FA).
- Even if you have 2FA using an authenticator app, Google still accepts 2FA through a code sent to your phone. This is a weak protection if your password is compromised, because your phone number could be hijacked too (see simjacking attacks).
Knowing all this, you may want to delete the stored passwords and disable this collection.
Keep points to keep in mind:
- Use unique passwords!
- Avoid letting Google store passwords for you. Instead use an open-source password manager such as Bitwarden.
- Use strong 2FA whenever possible, using an open source solution like Aegis Authenticator. This limits the consequences of compromised passwords.
- Share your phone number with care to avoid simjacking attacks. At least when you have to share it, try to use a unique e-mail address (for example using Firefox Relay), so that it’s harder to link it to other accounts you own.
See also the corresponding discussion on LinkedIn.