[gonehome]

This isn't accurate - they don't get access to multiple stuff.

- Site0 leaks your password because they store it poorly.

- It's just one password, but it's still leaked.

- You have 2F in 1Password so even though it's picked up in an account list the attacker can't login.

- Weeks later you learn there was a breach.

This is the common case for most accounts and breaches. Though the sites most likely to leak are also ones unlikely to have 2F so it's not perfect.

[hot_gril]

So the attacker gets access to the plaintext passwords but not the rest of the database or the ability to skip the 2FA server-side, and the site doesn't notice. Guess I can see that happening still, since the password DB is likely separate.