The reasoning is fairly technical and I will provide links if you (or anyone) are interested in further explanation. In short:
- Some websites implement an “invisible login form” that the user cannot see nor are they alerted about it
- On the next page (after you login), a third-party tracking script is run and the “invisible” form is filled with data entered into the browsers password manager entered for that site
- The script then retreieves the login email and sends email hashes to 3rd party servers
Even shorter: Popups let you know your data may get watched. When you autofill a form field, you the dropdown in the form field itself.
Additionally, at your own risk, you can set a flag to stop this behavior -
- Type
Brave://flags
into the address bar - Search for a flag called
#Fill-on-account-select
- Set this to Disabled, relaunch when prompted
Please let me know if any of this needs further explanation. Here are some useful links for more information on this tracking technique:
See this in action: https://senglehardt.com/demo/no_boundaries/loginmanager/
Further reading (same site): https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
Our GitHub issue on this: https://github.com/brave/brave-browser/issues/1713