Today I created an online account (a financial website), using a new password that I have never used before (and nothing like any password I've used before). It's a moderately strong 12 character password including random lower case alphabetic and numeric characters, capitals and symbols. The login process is two steps: 1. username and date or birth then if this is successful 2. password and selected characters from a security number On submitting the above, I get a warning from Chrome: "A data breach on a site or app exposed your password. Chrome recommends changing your password on xxxx.yy.co.uk now." Given (1) this is a new, moderately strong password, (2) the combination of the password and security number changes each time I login and (3), the website haveibeenpwned.com/passwords says "no pwnage found" for this new password, I'm surprised to say the least. Could Chrome have this wrong, or could it be complaining about some other combination of data used during the two step login process? Is there any way to check?