When a company wants to check if your password has been leaked, it can use a special database that lists all of the known password leaks that have happened in the past. These databases are maintained by organizations that track online security and privacy issues. If your password appears in one of these databases, it means that it has been leaked at some point in the past.

There are large databases of all known leaked passwords and accounts. The biggest one is maintained by [https://haveibeenpwned.com/](https://haveibeenpwned.com/) . Companies pay these database maintainers for full access so they can check their customers passwords and recomend they change it. The databases do not store the actual password but rather a one way cryptographic hash of it. A lot of times the password itself is not leaked but a hash of it is leaked, but the databases are able to check any password against any hash as well.

When it comes to companies who have been breached they have audit logs of what happens on their systems. If anyone is able to extract the account detals it will show up in these audit logs. If there is no audit logs or the logs themselves seams to have been tampered then they just have to assume the passwords have been leaked. It does require a lot of investigation after a breach have been discovered to find out exactly what have been extracted and what have not. A password hash might for example be stored in multiple places, in backups, session caches, etc. Some companies do not even find out their passwords have been leaked until the attacker leaks it by accident. Either by sharing a sample to someone claiming to be a buyer of the database but in reality works with uncovering such breaches, or through any number of ways they could accidentally leak the information.

Followup question: If a website only stores a *hash* of your password, which they should be doing for security reasons, then, is it even possible for your password to be leaked? So what if your hashed password got leaked?

They buy it from the hackers.

For example T-Mobile paid $200k. Then the hackers kept selling the leaked data anyways.

Since that happened to one of my customers (working in IT company), an independent “researcher” saw the affected company credentials to our software (log in name + password) available on a website in the darknet.
Then researcher reached out to the company and reported it for a fee, then the company worked to fix the problem.
The company actually paid for it, because our software has direct admin access to deploy scripts & software to end user devices in the fleet. This is one of worst case scenarios and definitely worth every $ to pay to see who’s credentials got stolen and attempting to fix the issue before the actual malicious hack happens.