It is provided as a means of what may have happened. Not a way to verify all.
As mentioned several times in the topic, the hole here isn't the software but rather the human. Humans are using the same credentials on multiple sites and one of those other sites (not associated to IPS) gets breached, their credentials are now known. Thus, these spammers are logging in.
The way around this would be implore Two Factor Authentication because this requires another set of actions to log in. This won't help past users but will help in the future.
The other option would be to force password resets to all members but there is no guarantee that your users will insert already breached credentials.