@DeveloperMemes @marmarper If a service is stupid enough to tell you when a password has already been used, it very possibly also stores them in clear text.
But it can also mean that passwords are being hashed, but are not being salted, so by comparing two hashes, you can tell if they stand for the same password. Not using salted hashes makes them vulnerable to attacks that involve comparing hashes to a series of precomputed hashes and allow an attacker that knows the password for one account to get access to other accounts with the same password.

@marmarper @DeveloperMemes the passwords could still be hashed in this situation, but if so they couldn't be salted -- which, these days, is almost as stupid as not hashing the passwords in the first place.

@marmarper @DeveloperMemes you can figure out duplicate passwords even when using salted Argon2.

For every row in the database calculate the hashed password given the user-specific salt. If there's a duplicate you can find it even without storing anything insecure.
It also does not require any brute force.

It's pretty stupid b/c these hash algorithms are purposefully intense in calculations