When a breached password is detected, there is no email notification sent to the user, the tenant admin or no `pwd_leak` event logged in the tenant logs.

• Breached Password Detection

When a compromised credential (breached password) is detected, here are the actions that Auth0 takes

1.   Block compromised user accounts 
2.   Send notifications to users with the URL to change password
3.   Send notifications to tenant admins with compromised credentials
4.   Log a `pwd_leaked` event in the tenant logs with compromised credentials

There are throttling applied to action 2,3, and 4:

• For action 2, notifications to user are sent once per hour per user
• For action 3, notifications to the tenant admin are sent once per hour per IP
• For action 4, tenant log events are generated once per hour per IP 

If the emails are not received or the tenant log event is not observed, check if it is within the throttling period and if yes, it's expected.
There is no throttling for action 1, so the user account is always blocked if compromised credential (breached password) is detected.