They have access to hashed passwords. Like every server you log in does.

You misunderstand the article

Wait, how? Array of password hashes on pwnd lists are compared to an array of password hashes in current use. 41% are the same hash. Meaning even after exposure people use the same passwords. What did they misunderstand? That's what I gleaned from it.

Stage 2 enshitification.

They have access to the plaintext password. They are MITMing all websites using their services.

"When we perform these checks, Cloudflare does not access or store plaintext end user passwords." I mean they could be lying but the article says the opposite.

WHEN THEY PERFORM THE CHECK. But by design cloudflare routes "proxied" your traffic through their servers before. Their certificates. They have 5 levels: - Off (no SSL) - flexible (MITM and the server gets no SSL request) - full (MITM, your server gets SSL requests) - full strict (MITM and they enforce the MITM) - strict (MITM)

"I have all this data, but don't worry when I check the passwords I only look at the hashed data!"

Lol, yeesh, I need to research them more. I just self-host so much of my shit I almost forget how much people trust nameless faceless orgs with their data.

It's all good. Not like they haven't been collecting IP addresses, browsing habits and passwords since a decade now. At some point they'll argue that only bad people want to have privacy.

Could they be analyzing the password hash in actuality?