Why didn't they...
Ask the users to enter their email address and send a message to that address saying either:
We have no matching records
We have matching records:
i) list the services they relate to
ii) include the hashes so the use can check which passwords themselves
(i) assumes they know which services the stash was stolen from
(ii) might need another validation step to prevent new criminals using it to harvest hashes. But they would need to compromise the target's email address first so not very efficient, and it shouldn't be a problem if the hashes are strong and salted. The other problem is enabling users to check the hashes in the privacy of their own computer.
Even just telling someone, "we have matching records, change your passwords now" is useful and preferable to training users to enter passwords into unrelated sites.