Since user@gmail.com is the same address as user@googlemail.com the returned data should also be the same, currently you'd have to enter both addresses.
Some users might not even know about this.

On a website that helps people mitigate the impact of losing private data you prevent use of avatars without signing up to an arbitrary third party with whom users may have no previous relationship and certainly no reason to trust. This feels strangely at odds with the core ethos of your website.

for offline mirrors it is important to be able to stay up to date - dropping the index and whole db only to reimport all 550M entries is a long time - for local offline copies the # of breaches may not be important but the new hashes are - can you provide delta files of the newly added SHA1s only for easier updates?

Love using the service btw!

would also keep your bandwith lower for people only needing the new stuff by downloading smaller files

Some websites use userids instead of email addresses. Are userids checked the same as email addresses?

I’m not lying, I got an email from them. Here is the blog post about it:
https://www.hostinger.com/blog/security-incident-what-you-need-to-know/

I sometimes capitalize portions of my email address.
After checking the same email address twice - one time all lower case and another using some upper case - I got different results!

Hi i want to ask about API,

i try to call the API via $.ajax and send the hibp-api-key by header, i checked the hibp-api-key at RequestHeader and its correct
and i get this message in the console
readyState":0,"status":0,"statusText":"NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load

can you help me?

Can you version the "Pwned Passwords" API v2 to reduce the confusion with https://haveibeenpwned.com/API/v3#APIVersion please?

Can the "Pwned Passwords" API endpoint also specify which release of https://haveibeenpwned.com/Passwords is used within its URL?

I'm not receiving emails while attempting to validate my ownership of a domain. We're using Office 365 and the email doesn't appear to be getting caught by the spam or phishing filters.

Can I have my account show up normally- like no breaches found, since I opted out accidentally ?

I am not sure where to post this but I want it like that

Just stop using it!

Fix your SMTP server: the SMTP server you are using to verify domains does not have a reverse lookup address, so emails are either rejected or marked as spam by any server that is well configured.

Would like to see some suggestions as to how to repair/improv being victims of the instances you unveil.

Can you please insert the breach's "Permalink" returned by the API?

For example, include "Permalink" : "https://haveibeenpwned.com/PwnedWebsites#Adobe" similar to the existing key/value pair of "LogoPath".

What potential is there to provide data on SSN that have been exposed in a breach? This seems much more borderline dangerous, but curious about of you've given any thought and the problems / possibilities you see.

in one of the recent blogs from you or cloudflare, it is talked that basically it would be best to deny all passwords with a count > 100 and warn on password > 20. would it be possible to create download files just for these (i think) like 10 mil records (all > 20)? that would make it easier to create a local repository database with a workable download size and working count. ... and ignoring the rare passwords which make up the largest bucket of your collection.

Please allow users to submit pwnd passwords.

I just had Google notify me that someone tried to log in with my password from Java Indonesia, yet this password is not in the pwnd password list.

A community board for questions.
I'd like to know how my email was caught up in a breach on a website I never went to.

Everyone is very excited about this site. But honestly I am confused. I've received a message about my primary email address many times. But there's absolutely no action I can take based on that. Yes, good password hygene, yes, dont reuse passwords. But that's generic advice that I get without needing to be notified. What is the increment of information I get by receiving your email? I think that there is none. Can you help me understand your value?