I created a service that website operators can deploy on AWS to check if their users are using passwords known to be breached, comparing them against Troy Hunt’s ihavebeenpwned database of ~600M breached passwords. Read about it out here: https://articles.hotelexistence.ca/posts/protectuserscredentialstuffing/