A Confection admin discovered that the password to his personal Google account has been compromised. This impacts three personal accounts, including his password manager. The admin's Confection-related logins and passwords appear in that manager.
However, the admin uses a physical token and 2FA for all three affected accounts. Moreover, the admin has not lost access to any of the three affected accounts or detected any unauthorized usage. It's unlikely anyone but the admin could gain access to the affected accounts, even with the password.
As a fix, the admin has changed the compromised password in Google and all three other systems. He's personally monitoring the accounts for any unauthorized login activity, suspicious account usage, and/or suspicious messages or contact. We're doing the same on the Confection system level.