There are better mechanisms than password rotation to mitigate (even undetected) security breaches.
Password databases can and should be storing that data using proper hashing functions like Argon or bcrypt. Those are designed to be slow, so brute-forcing them even offline and in parallel becomes time-consuming. This increases the time between when a breach happens and when those passwords become useful to attackers. This gives the service more opportunity to detect the breach and force users to reset their passwords.
If attackers somehow obtain actual passwords before then, then the login system should be using risk-based authentication, where it throws additional challenges if the user appears to be logging in from a completely unexpected IP address or client.
Password databases can and should be storing that data using proper hashing functions like Argon or bcrypt. Those are designed to be slow, so brute-forcing them even offline and in parallel becomes time-consuming. This increases the time between when a breach happens and when those passwords become useful to attackers. This gives the service more opportunity to detect the breach and force users to reset their passwords.
If attackers somehow obtain actual passwords before then, then the login system should be using risk-based authentication, where it throws additional challenges if the user appears to be logging in from a completely unexpected IP address or client.