I have a single account for a very popular website. I noticed that certain variations of my set password will successfully log me in. I have tested the variations on 3 separate browsers and all have the same behavior.
This is not a hypothetical question. I intentionally did not describe which variations successfully log in because it is a well-known website that many people use.
Is this a security flaw? Yes!
If so, what should I do with this information?
Contacting their IT department is a good idea. You want to give them time to patch the vulnerability (two weeks is the standard). If the IT department does not respond or fix the issue, then reach out to other people at the company; e.g., upper management. Reaching them by phone is probably the most efficient option, but I'd personally go the electronic route because documentation is important when it comes to such matters.
If, after all of this, still no action has been taken by them to fix this, you have the option of going public. This document should explain that you've tried to reach out to the company but your attempts went unnoticed. Some see going public as a social and ethical responsibility, but you should only do this as your last step. You'll want to contact them privately at first for reasons stated.
Here is some additional documentation that you should read before proceeding:
Based on your information one cannot say for sure if this is a security problem or not. The answer instead depends on the exact kind of variations possible but you don't provide this information.
For example if a site is stripping white space from your password, if it ignores case of the letters or if it shortens the password it might still be considered secure enough as long as this transformation does not simplify the password down to a security level which would make attacks like brute-forcing practically feasible.
If instead the site for example only compares as much characters as you've entered as in the recent vulnerability in Intel AMT authentication or in this bug in windows file sharing from 2000 then it would definitely be a problem.
It's hard to say!
It could be an intentional move on the part of a company to improve user experience for logging in. I know Facebook do this for the sake of user experience, which has been asked about before in a different way.
There a few articles out there about Facebook doing this, but I haven't managed to find anything from Facebook themselves. The only thing I did manage to find was this article which mentions asking a Facebook engineer about it.
This is quite hard to pull off securely, because any acceptance of passwords that aren't your actual password is almost guaranteed to be at the detriment of security, as discussed here.
If you can't find any information online about the company doing this sort of thing (though from your emphasis on the size of the company I feel like it could be Facebook?), I recommend reaching out to them. If they're sizeable chances are they've been asked this before, and should be able to answer you relatively easily. Some companies have published security team mailboxes that you should be able to send this question to.
The answer by @orbuculum has some good resources for how to handle the "what should I do" side of this. It's a tricky area because both extremes (i.e. overreacting and punishing the reporter vs. underreacting and ignoring your communications) appear at least from online reports to be fairly common in companies. If the company is as big and popular as you say, there should be less of a concern about this.
N.B: While I was down the rabbit hole I also came across Locality-sensitive hashing which discusses methods of doing this within the hash function itself.
