“Ultimately, we’ve learned that our password encryption feature’s security was partially undermined by browser behavior,” said the team at MetaMask.