It's easy and could be just how other companies with great security practices (like google) can tell you when they find your password in a password dump.
Imagine you are a company with great password practices, how would you tell that a user re-used a password that was exposed in some other data breach without you being able to generally know what a user's password is? Well, of course, it's the same way that you verify their password when they login. You track (or more likely in this case, adhoc check) data breaches, when you find a matched email in the breach with one of your users, you check if the password from the breach would allow that user to login.
Imagine you are a company with great password practices, how would you tell that a user re-used a password that was exposed in some other data breach without you being able to generally know what a user's password is? Well, of course, it's the same way that you verify their password when they login. You track (or more likely in this case, adhoc check) data breaches, when you find a matched email in the breach with one of your users, you check if the password from the breach would allow that user to login.