We've just added a kill-list of known decrypted passwords and English language words and forced people to reset their passwords who are listed in the adobe breach.
We wrote a script that hashed these passwords with the stored salt for each user and compared the result with the stored hashed value. Basically we brute forced everyone's accounts with the dictionary provided. Anyone who was found with an account that was in the dictionary was locked out with forced password change. We changed the password policy before doing this to increase complexity and block dictionary and the decrypted list words. We also force people to change their password every 28 days anyway and keep the last 7 hashed passwords and salts to verify that the user hasn't reused.
We store financial data so it's pretty hardcore auth requirements.
We've just added a kill-list of known decrypted passwords and English language words and forced people to reset their passwords who are listed in the adobe breach.