The Qualys SSL Server Test shows that haveibeenpwned.com uses certificates that do not specify OCSP Must-Staple. When you replace these certificates near their expiry date, please get certificates that specify OCSP Must-Staple. Scott Helme has a good article on why OCSP Must-Staple is important.

https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com
https://scotthelme.co.uk/ocsp-must-staple/

The Qualys SSL Server Test shows that haveibeenpwned.com supports weak cipher suites for TLS 1.2. Please drop support for these to make haveibeenpwned.com even more secure.
https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com

I own several domains and I would like to check any email adress with that domain.
Simply verify by sending confirmation request on a random email address with that domain e.g. h1ytsh4t uhh674@larshjorth.dk

Since user@gmail.com is the same address as user@googlemail.com the returned data should also be the same, currently you'd have to enter both addresses.
Some users might not even know about this.

On a website that helps people mitigate the impact of losing private data you prevent use of avatars without signing up to an arbitrary third party with whom users may have no previous relationship and certainly no reason to trust. This feels strangely at odds with the core ethos of your website.

for offline mirrors it is important to be able to stay up to date - dropping the index and whole db only to reimport all 550M entries is a long time - for local offline copies the # of breaches may not be important but the new hashes are - can you provide delta files of the newly added SHA1s only for easier updates?

Love using the service btw!

would also keep your bandwith lower for people only needing the new stuff by downloading smaller files

Some websites use userids instead of email addresses. Are userids checked the same as email addresses?

I’m not lying, I got an email from them. Here is the blog post about it:
https://www.hostinger.com/blog/security-incident-what-you-need-to-know/

I sometimes capitalize portions of my email address.
After checking the same email address twice - one time all lower case and another using some upper case - I got different results!

Hi i want to ask about API,

i try to call the API via $.ajax and send the hibp-api-key by header, i checked the hibp-api-key at RequestHeader and its correct
and i get this message in the console
readyState":0,"status":0,"statusText":"NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load

can you help me?

Can you version the "Pwned Passwords" API v2 to reduce the confusion with https://haveibeenpwned.com/API/v3#APIVersion please?

Can the "Pwned Passwords" API endpoint also specify which release of https://haveibeenpwned.com/Passwords is used within its URL?

I'm not receiving emails while attempting to validate my ownership of a domain. We're using Office 365 and the email doesn't appear to be getting caught by the spam or phishing filters.

Can I have my account show up normally- like no breaches found, since I opted out accidentally ?

I am not sure where to post this but I want it like that

Just stop using it!

Fix your SMTP server: the SMTP server you are using to verify domains does not have a reverse lookup address, so emails are either rejected or marked as spam by any server that is well configured.

Would like to see some suggestions as to how to repair/improv being victims of the instances you unveil.

What potential is there to provide data on SSN that have been exposed in a breach? This seems much more borderline dangerous, but curious about of you've given any thought and the problems / possibilities you see.

Can you please insert the breach's "Permalink" returned by the API?

For example, include "Permalink" : "https://haveibeenpwned.com/PwnedWebsites#Adobe" similar to the existing key/value pair of "LogoPath".

in one of the recent blogs from you or cloudflare, it is talked that basically it would be best to deny all passwords with a count > 100 and warn on password > 20. would it be possible to create download files just for these (i think) like 10 mil records (all > 20)? that would make it easier to create a local repository database with a workable download size and working count. ... and ignoring the rare passwords which make up the largest bucket of your collection.