Hey Alycia,
You can try implementing 2FA, even if the creds stuffed are valid and are taken from any recent breaches you can prevent unauthorised access. There are a lot of methods to implement I prefer google authenticators as they are very cheap to implement.
Some best practices are to mask PII and PHI data, implement 2FA for payments processing and provide users option to terminate all active sessions.
Now in any worst case scenario if a user doesnt have 2FA you can share notification to user's email whenever he logs in but it you have wide application audience then it might cost you for resources.
Hope that helps and if there are any other alternatives please let me know.
Regards,