Wayne pointed out that it'd be a lot easier for me to find out how user's passwords get compromised if I would just remember to change my splunk search to include the "suspicious=true" syntax.

Why didn't I think of that?