You should take a look at gmail adresses with . in them. For my email firstnamelastname@gmail.com returns as pwned but firstname.lastname@gmail.com returns as clean. For gmail these adresses are exactly the same and I use both of them.

Can you add an enhancement to https://haveibeenpwned.com/Passwords which is https://haveibeenpwned.com/Passwords/[Password/SHA-1] similar to the "account" URI such as https://haveibeenpwned.com/account/christian.heinrich@cmlh.id.au please?

In the past I have recreated the Maltego Graph of all breached sites/names and domains and when I have pushed this to GitHub another breach has been loaded on the same day by a tweet from https://twitter.com/haveibeenpwned

Can you publish a counter estimating when the next series of breaches will be made available?

I understand that breaches may be loaded concurrently and/or urgently, etc. Neither am I asking for you to publish the name of the website that you are confirming has been breached, etc

Possibility of getting count of total emails addresses leaked for specific IP is very useful due to problems of exporting the data for domain search when there real many emails. In my case happened that after export if showed only "Pastes" database and no other leaks. I have checked some email addresses from exported CSV list and through online database, results were not the same.
And if total count for domain will be available, it will be much easier to compare results and see the differences, also such information can be useful for online threat intelligence platforms.

When hitting a 429 response, a cross-origin request does not have access to the Retry-After header.

Perhaps as a premium service, allow a caller to post an email / password combination. HIBP responds with a recommendation on whether to allow the user to use that password on caller's system. Known pwn'd combinations would always recommend "forbid", as well as perhaps forbidding any password in the top % of pwn'd passwords by frequency.

The end goal is giving system owners a way to steer users away from not only weak but also repeat & known-compromised credentials. I understand that data extraction would be a concern, thus the "premium" service suggestion.

Today is the first time we have ever visited hibp. Clicking on the test http link we immediately received the blocked message shown in the title.

I get email threats saying the email and password is compromised. They even list the password. But this email is not showing up in your list.

a few days after I tested several of my passwords, I started receiving emails from different websites, that someone was trying to log into my accounts. and these are accounts that I haven't used for several years...

your pawny website is a a phishing scam and people should never ever use it!!!

I'm not receiving emails while attempting to validate my ownership of a domain. We're using Office 365 and the email doesn't appear to be getting caught by the spam or phishing filters.

Can you please insert the breach's "Permalink" returned by the API?

For example, include "Permalink" : "https://haveibeenpwned.com/PwnedWebsites#Adobe" similar to the existing key/value pair of "LogoPath".

for offline mirrors it is important to be able to stay up to date - dropping the index and whole db only to reimport all 550M entries is a long time - for local offline copies the # of breaches may not be important but the new hashes are - can you provide delta files of the newly added SHA1s only for easier updates?

Love using the service btw!

would also keep your bandwith lower for people only needing the new stuff by downloading smaller files

Can you version the "Pwned Passwords" API v2 to reduce the confusion with https://haveibeenpwned.com/API/v3#APIVersion please?

Can the "Pwned Passwords" API endpoint also specify which release of https://haveibeenpwned.com/Passwords is used within its URL?

I’m not lying, I got an email from them. Here is the blog post about it:
https://www.hostinger.com/blog/security-incident-what-you-need-to-know/

I own several domains and I would like to check any email adress with that domain.
Simply verify by sending confirmation request on a random email address with that domain e.g. h1ytsh4t uhh674@larshjorth.dk

As a security company I would like to be able to search in your database on behalf of my clients for their employees emailadresses. The current laws in EU prohibit this unless HIBP signs a DPA - contract with my company OR we do not provide you with the emaildadress but just a hash. My company would even pay money for this.
I know you already declined this a couple of times but so far nobody mentioned the aspect of law compliancy.
THX for your work

https://pastebin.com/JhbQGea2
a bunch of passwords

In order to be GDPR compliant when using the service, we need assurance that the e-mail address we provide is not to be stored or passed over to a third party (and some other requirements). Can you sign a document that states that, so we have someting to show during audits?