Nice, now I know that my mail-address was included in the Exploit.In and Adobe breach. But the Exploit.In breach does not hint any clue whether we talk about the same service (=Adobe) or not. I can understand that you cannot mail me a password. After all you don't know me. I might as well be an imposter. But it would be cool if you could internally setup your database such that it outputs whether the password in an amalgamated-list-breach that did not specify a service like Exploit.In was identical to the one in another breach like the Adobe breach. That would allow me and other users to assess the damage much better and take action. So the output I would wish for should look as follows:

Credentials associated with your email appeared N times in this list. 1 entry matched information leaked through >link< XYZ breach. 1 entry matched information leaked through >link< XYZ breach. .... and so on.

Spamgourmet.com allows a user to create disposable email addresses on the fly. That way a unique email address can be used for each web site you sign up for. The structure of an address is identifier[.##].username@spamgourmet.com, where the identifier can change per site and [.##] is an optional max number of emails you want to receive. Because a different address is used for each site it is currently impossible to query HIBP for breaches of all sub-addresses, like *.username@spamgourmet.com. Allowing wildcard search and notification for spamgourmet addresses (or its many alias domains) would enable users to check on any of their disposable addresses.

I like the fact that I get to know if my email is pwned in any of the latest breaches (so opting out is not really an option), but I can see a malicious intent here as well.

Say a hacker needs to get access to my email account, then the first thing to try is your service to know if my password exists in any of the known breaches, even though I might change it but some users won't or it may be easily guessable.

My idea is, when the user enters their email address, send the results by email and do not display it publicly on the web site.

We have integrated HIBP api in some of our security tools in our company in order to estimate the probability of one of our client getting hacked if his email appears in many breaches.

We beta tested it, but our legal staff pointed out that we needed terms on the website to be able to use it, as the fact you only tell that you don't collect and store email that are searched (we do trust you but legal team don't work on trust :p) is not enough.

we got in touch with the french "national comity for IT liberty" CNIL, and they seem to like the id, but we need terms ! It would be really cool if company can use this awsome tool to make the web a better place.

For those of us who are technically challenged, directions on how to mitigate any damage if found to have been breached. For example, my husband and I found that our Adobe accounts were breached, but we do not know when he signed up as he does not have a computer and only created an email when he got a smart phone about 4 years ago. He has no idea of how he got signed up for Adobe. To be honest, I do not remember signing up or into that service either, although I do have it on my computers and laptop. I was thinking that it would be nice to have a link to the pages where you can change your information, and what is essential to change. We are obviously "the dangerous ones out there who have no clue on this type of thing"! :) Also, is there any further problems we should be looking at? This could maybe be put into the FAQ section?