One thing the company could have done is periodically check https://haveibeenpwned.com/ to see if their users accounts are part of breaches. Also, they offer a password API, which they could have used to blacklist weak passwords (so they are less likely to get cracked after getting exposed in unrelated breaches). The password API uses K-Anonymity, so the passwords are not fully transmitted, and the final check if the password has been found in previous breaches happens locally.

In case some developer here reads that, I recommend implementing at least the password check. Laminas (and probably other major frameworks) offer predefined functions for that, so the implementation should be very fast and simple.