NIST SP 800-63B "Digital Identity Guidelines" specifically requires preventing users from setting passwords which are known to be commonly-used, expected, or compromised.
How would you know they're compromised before you know they're compromised? According to the info I've read about this, the site and database that was breached was not published publicly but was sold privately on the dark web.
