Either that, or they obtained the list of exposed passwords, hashed them with whatever hashing method they use, then compare hashes against the ones that you've got saved.
A match=Compromised password.
That's how I'd do it if I were trying to protect my users without infringing on their privacy.
@alxd @GigaByte4711 look at it this way: you have no way of ascertaining they cannot.
So it's best to assume whatever you hand to such a service is not controlled by you anymore.
"So it's best to assume whatever you hand to such a service is not controlled by you anymore."
Agreed.
I'm not sure how google hashes/encrypts those passwords, but obviously its not a one-way method. I reckon there's a chance that they use your google password (or another auth token) to encrypt your plaintext password, allowing you to decrypt it.
Again, we don't know, so we can't be sure.
@GigaByte4711 Yeah, but Google Password Manager can show you your decrypted passwords online, even if they didn't leak. Google can decrypt them on their own server, that's the problem.