There are large databases of all known leaked passwords and accounts. The biggest one is maintained by [https://haveibeenpwned.com/](https://haveibeenpwned.com/) . Companies pay these database maintainers for full access so they can check their customers passwords and recomend they change it. The databases do not store the actual password but rather a one way cryptographic hash of it. A lot of times the password itself is not leaked but a hash of it is leaked, but the databases are able to check any password against any hash as well.

When it comes to companies who have been breached they have audit logs of what happens on their systems. If anyone is able to extract the account detals it will show up in these audit logs. If there is no audit logs or the logs themselves seams to have been tampered then they just have to assume the passwords have been leaked. It does require a lot of investigation after a breach have been discovered to find out exactly what have been extracted and what have not. A password hash might for example be stored in multiple places, in backups, session caches, etc. Some companies do not even find out their passwords have been leaked until the attacker leaks it by accident. Either by sharing a sample to someone claiming to be a buyer of the database but in reality works with uncovering such breaches, or through any number of ways they could accidentally leak the information.