CIA can see your password! they have been infecting Wi-Fi routers for years: 'Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, allow the CIA to monitor and manipulate incoming and outgoing traffic and infect connected devices.'

Leaks and Tools from CIA and NSA keeps popping up on the internet these days. Quite scary what they are capable of doing!
List of from wikileaks of effected wifi devices: https://wikileaks.org/vault7/document/WiFi_Devices/WiFi_Devices.pdf

Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That's according to secret documents posted Thursday by WikiLeaks.
CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it's likely modifications would allow the implant to run on at least 100 more.

At this point we can basically never assume to be anonymous anymore, not matter what browser (Tor) or whatever we are using.

Link to arstechnica reporting on this with additional information if you are intersted.