Does anyone know what passwords the DB/tweet refers to? I thought all logins were OTP based (source: my usage).

The email I got from haveibeenpwned mentions "passwords" too. I suppose they create a default randomised password for every user account?

BigBasket did allow passwords a long time back. But have since reverted to using OTPs for a few years now.