BCryptPasswordEncoder shows this warning when it fails to match a raw password with an encoded password.
The hashed password might be “$2b” or “$2y” now.
And there is a bug in Spring Security that has a regex always looking for “$2a”. Put a debug point at the matches() function in the BCryptPasswordEncoder.class.