In an ideal world, if you are using ForgeRock Identity Cloud (Saas) Credential Stuffing (alongside automated user agent aka ‘bot detection’) is an OOTB signal in Autonomous Access (integrated into AM Trees, so it’s a no-code journey).
There are a few ways though to battle not only credential stuffing, but password spraying and other credential based attacks in your own deployment of AM.
You have mentioned Have I Been Pwned database, so let’s take that example. One way is to use a scripted decision node in the tree (journey) to check if the password has leaked - at the time of login (HIBN is a simple REST call, with a bit of logic after). If you encounter breached password, you go down the MFA route and ask the user to change it JIT (just in time).
If you wanted to have Autonomous Access - like protection for cred stuffing, you can start tracking IP addresses as well in a custom IDM object (if you use IDM) against accounts/password combinations used (regardless if they come from a breach or not, it’s the number of attempts from a specific IP/network). You can set the threshold for, say 10 accounts in any 5 minute period. That is bound to generate false positives on an overloaded IP addresses (NAT’ed), but still better than nothing. If you couple device fingerprinting with the attempts/combination counters, it suddenly becomes really effective against automated agents trying out credentials. If the attack is done at a scale of DoS, no magic dust will help you, you’ll need a proper DoS-network level protection solution.
If you want to try out HIBP in a scripted node, I am happy to share the PoC script (you will need to register for HIBP service, but it’s free). Hope this helps!