[closeparen]

Wonder if anyone has ever written password validation to attempt credential stuffing on a few popular websites and reject the password if it works.

[WorldMaker]

Pwned Passwords is a most common password (hashes) database compiled from years of breach data: http://haveibeenpwned.com/Passwords

Though the takeaway in the article is that you really only need to check Top X and Top X may be as low as 10 assuming other mitigations are in place.