That's not really what I was getting at. I've implemented the password lookup before. That protects users from setting passwords that have already been compromised.
The scenario I was looking at was..
User signs up with Site A with Password 1.
User signs up with Nest with Password 1.
Site A gets compromised.
Nest couldn't know if you'd used the same password on each site. The only way they could know is if they used the same hashing algo with the same salt or SHA-1 with no salt. Highly unlikely.
I suppose Nest could check the Pwned Passwords API every time they logged in, but I haven't seen anyone deploy that yet, IIRC all solutions I've seen check Pwned Passwords API when the set the password. Setting a password and checking a password are often different systems.
