User credentials are stored in xf_user_auth (I believe that was the correct name), with the email being on the xf_user table. The first table also saves the hash algorithm that was used to hash the password string, so you'll have to query the relevant row and then perform your hash check based on that.