My friend did something stupid. He downloaded an executable from someone pretending to want advice on his indie game from an indie game dev discord community.

The person contacted us, and showed proof of having every password from their google password autofill, and they did, two text files, one for each account on that chrome, of every single auto saved password. They used the info to lock them out of some accounts without 2fa

I chatted alot with the person, they were actually quite chill for someone robbing us, and they explained to me some of the process, and gave me this youtube link, basically explaining that if someone has access to the password file in your appdata, all google chrome autofill passwords can be decrypted without password: https://www.youtube.com/watch?v=EdtDuHhZjkw

Maybe I'll mark down the ransom as a consultancy expense, because learning that all google autofill passwords can be extracted as a text file is kinda useful to know.

Obviously your computer can only be so secure if you download a malware exe... but I thought the file would at least require your main google password (which they did not have) to decrypt.

It's a bit out of my technical field how accurate this all is, so I thought to ask the community. Is google autofill known as a terrible security practice and I just was out of the loop, or was the guy misleading me?