This is compared to the very evil password strength checker, which gives an ambiguous "password not strong enough" error until it finds a match with another service.
Have any bad actors even been implicated in this kind of abuse??
It'd be interesting to try to automate honeypots to screen for this -- for each suspect site, unique credentials which are also reused on honeypot accounts on other major common target sites.