I seem to recall they do this the way other similar things do, which does not involve sending your passwords anywhere.
When they do is hash your password, then take something like the first 20 bits and send that to a site that keeps a list of hashes of known leaked passwords. That site returns all the hashes that start with that 20 bits. Chrome than checks that list to see ifthe full hash of your password is on it.
When they do is hash your password, then take something like the first 20 bits and send that to a site that keeps a list of hashes of known leaked passwords. That site returns all the hashes that start with that 20 bits. Chrome than checks that list to see ifthe full hash of your password is on it.