It's also possible they periodically look for passwords known to have been part of other breaches and compare those to passwords being used by their own users (this can be done without knowing your password; they can just hash the known compromised password with whatever hash they use on regular user pws) and if yours pops up on the list they force a reset.

https://krebsonsecurity.com/2019/08/...r-assumptions/