Re: "Unless there is reason to believe a password has been compromised ..."
"If Citrix did indeed run a comparison of their sign-ins against publicly known compromised credentials..." then I would be very worried, because Citrix is not supposed to know their user's passwords and not supposed to be able to do this easily. And not faster than any hacker could do it.