IP Geolocation and verification is probably the most effective way to combat this kind of password theft.
Noone needs to come from more than one country a day, or 3 IPs... Combined with browser headers it would probably give enough evidence for automatic identification and banning of leaked passwords... Just my
