Github claims somehow my password has been compromised and leaked. But there are no other evidences of it
Recently github welcomed me with a picrel notification that my password is commonly used on other websites and for my own security sake I should change it ASAP. If not, they will reset it for me after a while. 
The thing is my password is quite specific and far from generic. Odds that someone randomly came with the very same idea are close to 0. What's worse I use it in couple other domains and all of them are very vulnerable. For instance to login for my medical records in governmental service of the national healthcare system in my country. I've double checked all those services and so far none of them reported any recent leaks or security breaches. I also checked couple of most popular lists of compromised passwords with no results.
Is there a way to get a list of the 'commonly used passwords' used by github for comparison? And should I be worried that somehow there was a security breach that wasn't made public?
Or maybe this entire thing was merely a mistake made by a github?
Like other larger companies, there is strong indirect evidence that GitHub actively seeks out passwords that have been leaked from compromised sites, in order to make these notifications. They're proactively correlating email:password pairs before the bad actors do (because that's exactly what the bad actors do!).
It's more likely that the password is a "real" match - either because someone had a similar strategy for password composition, or else your password was part of at least one leak available to GitHub - and less likely that it's some kind of coincidence (and therefore, you should take the actions that GitHub suggests).
There are a couple of ways that you can try to validate this for yourself:
Use a service like Have I Been Pwned to see if your email address has been part of a leak. (But note: not all leaks are the same; just because your email address was in a marketing-info leak doesn't mean that your password or password hash was exposed - so you have to cross-check the results against HIBP's list of "pwned websites" to see if the listed leaks contained password data)
Download the list of all cracked passwords from a site like HashMob.net, and then locally search that (very large) file on your own system to see if your password appears there.
(And you'll notice that I don't include "put your password in some website to see if it's listed" in my recommendations above, for security reasons!)
Finally, note that these approaches are only definitive if you do find a match. If you don't find a match, GitHub may have access to leak data that these other sources are missing, etc.
Bottom line, regardless: I'd do what GitHub is suggesting. I'd also move to using a password manager so that you can more easily use a truly unique password for all websites, and stop reusing any passwords for any reason. (Even if you just reuse a password for "unimportant" sites, this information can be correlated in ways that you may not be able to predict!)
- How to ignore multiple repos easily on GitHub?
- Changelog generation from Github issues?
- Restore all nuget packages in Azure pipeline YML
- Make the current commit the only (initial) commit in a Git repository?
- git push fails: RPC failed; result=22, HTTP code = 411
- GitHub API (v3): Order tags by creation date
- Merging two git repository into another with Github actions
- Git, fatal: The remote end hung up unexpectedly
- How is it best to update a project when updates are provided as an archive?
- PNPM Github actions flow
- Can't commit changes to GitHub in Visual Studio
- How can one display images side by side in a GitHub README.md?
- How to remove a pushed commit on GitHub?
- Downloading GitHub Actions workflow logs using GitHub api
- How to update my working Git branch from another branch (develop)?
- GitHub Login and Enterprise URL issue
- Git merge with beyond compare
- How can I create a multi-job GitHub Actions workflow with secrets?
- Checkout forked branch of repo without cloning fork
- Override configured user for a single git commit
- How to get pull request number within GitHub Actions workflow
- Run GitHub Action on multiple environments
- Failed to install 'unknown package' from GitHub
- Cite a paper using github markdown syntax
- How does a GitHub repository's gh-pages branch get created?
- How to check which person clone my project in github
- Delete forked repo from GitHub
- How to tell git to use the correct identity (name and email) for a given project?
- Is there a way to cache https credentials for pushing commits?
- Can I have my GitHub Pages index.html in a subfolder of the repository?