Hello @Fadebolt · Welcome to QnA Platform and thanks for your query.
The Leaked Credential risk detection type indicates that the user's current credentials have been leaked, which are valid and can be used to sign-in. When a user resets his password, the previous credentials become invalid and can't be used for signing in and accessing any resources. Which is why this check is performed against current valid credentials.
When cybercriminals compromise valid passwords of legitimate users, they often share those credentials publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they are checked against Azure AD users' current valid credentials to find valid matches.
Read more:
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#user-risk
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.