This demo shows Cloudflare detecting passwords found in known data breaches and notifying the login server via a request header, which then blocks the request.
Try a scenario
How it works: Cloudflare checks submitted passwords against billions of breach records using k-anonymity (your actual password is never sent). If matched, Cloudflare adds an Exposed-Credential-Check header to the request. The login server reads this header and rejects the request with a 403.