Use the "passwords" feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They'll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
The thing about this one is no one seems sure of the source (it appears to be from multiple sources, including infostealer malware and phishing attacks), so you don't know which passwords to change. To be safe you'd have to do all of them.
Some password managers (e.g. Bitwarden) offer an automatic check for whether your actual passwords have been seen in these hack databases, which is a bit more practical than changing hundreds of passwords just in case.
And of course don't reuse passwords. If you have access to an email masking service you can not only use a different password for every site, but also a different email address. Then hackers can't even easily connect that it's your account on different sites.
How do they do that without sending your actual passwords somewhere off your device, or downloading the full list of hacked passwords?
They probably hash the list of hacked passwords the same way your passwords get hashed and check for matches.
Interesting, thanks!
More details about the k-anonimity process. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
The short answer is that they download a partial list of passwords that hash to values starting with the same 5 characters as yours and then check if your password hash is in that list locally. This gives the server very little information about your password if it was not breached and more if it was (but then you should change it anyway), making an elegant compromise
They connect to the Have I Been Pwned database in a secure way.
They make a hash of your password and send just the first characters.