How to monitor your user accounts for breached logins?
On a few rare instances, I've received an email from a website notifying me that my email and password were found in batch of harvested logins, and they then force me to change my password.
This has only happened on a few very old unused accounts that date back to when I was foolish enough to use the same password on multiple websites. Even though the password was strong, that doesn't stop a poorly designed site from storing it in plain-text and then having a server exploit that lets a hacker copy it. The website notifying me didn't have the breach, but they were still effected since I had re-used the login there.
However, I now manage a few websites of my own. I already know not to store passwords in plaintext and enforce strong password requirements, but I'd like to do the same type of proactive monitoring for my users in case one of them re-uses their login elsewhere that does get breached. How do these sites currently detect when their users may be using a breached login? Where are they finding these hacked logins? Are they using a professional service to notify them?
Have I Been Pwned is the famous service that does this. There are others. They are often paid services, though.
You can also download password lists and check new passwords against it.