This from The Verge. Not for nothing, I urge the use of a password manager, but I have never been an advocate of the built version from your browser. Even if this method is new, unfortunately browsers are generally under siege,
The researchers examined two different scripts — AdThink and OnAudience — both of are designed to get identifiable information out of browser-based password managers. The scripts work by injecting invisible login forms in the background of the webpage and scooping up whatever the browsers autofill into the available slots. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising.