It’s pretty hard to prove what anyone is doing with closed source code.

If they send everything a user types to their servers, that would be provable by simply observing the network, no?

One thing the company could have done is periodically check https://haveibeenpwned.com/ to see if their users accounts are part of breaches. Also, they offer a password API, which they could have used to blacklist weak passwords (so they are less likely to get cracked after getting exposed in unrelated breaches). The password API uses K-Anonymity, so the passwords are not fully transmitted, and the final check if the password has been found in previous breaches happens locally.

In case some developer here reads that, I recommend implementing at least the password check. Laminas (and probably other major frameworks) offer predefined functions for that, so the implementation should be very fast and simple.

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator