the hacker can go into your C drive, and go to C://Users/(account name)/AppData/Local/Google/Chrome/User Data/Default/Login Data and simply query the local SQL server for details of the URL, username and encrypted password of the website you have visited.
Minecraft PC IP: play.cubecraft.net
CubeCraft Games
repository
repository
Then all they have to do is decrypt the mixed (ASCII? can't remember this has been a while lmao)/MD5 encryption and they have ALL of the credentials you have saved when visiting webpages [WHETHER IT BE paypal, cubecraftgames ;) or just other websites]!
repository
Actually I think it's a mixed SHA-128/MD5 having just looked at it (still might be wrong though) my bad.