Offer a service that can wipe clean a person's exposed information that has been breached.

Title explains it.

Link all verified mediums that one can access to join or create a class-action lawsuit/claim related to a data breach.

be able to lookup if your password exists in a breach by entering an md5 of your password rather than the actual password.

Can you version the "Pwned Passwords" API v2 to reduce the confusion with https://haveibeenpwned.com/API/v3#APIVersion please?

Can the "Pwned Passwords" API endpoint also specify which release of https://haveibeenpwned.com/Passwords is used within its URL?

You very kindly just sent me an email that my email address and unsalted password were included in the 2012 LinkedIn breach.

I can't remember which password I was using in 2012, and hence don't know which other accounts need a password change. Could you send the leaked hash (or otherwise, depending on the breach) to the effected email?

for offline mirrors it is important to be able to stay up to date - dropping the index and whole db only to reimport all 550M entries is a long time - for local offline copies the # of breaches may not be important but the new hashes are - can you provide delta files of the newly added SHA1s only for easier updates?

Love using the service btw!

would also keep your bandwith lower for people only needing the new stuff by downloading smaller files

As a security company I would like to be able to search in your database on behalf of my clients for their employees emailadresses. The current laws in EU prohibit this unless HIBP signs a DPA - contract with my company OR we do not provide you with the emaildadress but just a hash. My company would even pay money for this.
I know you already declined this a couple of times but so far nobody mentioned the aspect of law compliancy.
THX for your work

Google now detects some email / password combo breaches. Google doesn't have any more detail on when / what / where. What might explain any difference w Pwned Passwords?

I own several domains and I would like to check any email adress with that domain.
Simply verify by sending confirmation request on a random email address with that domain e.g. h1ytsh4t uhh674@larshjorth.dk

When hitting a 429 response, a cross-origin request does not have access to the Retry-After header.

I'm not receiving emails while attempting to validate my ownership of a domain. We're using Office 365 and the email doesn't appear to be getting caught by the spam or phishing filters.

Implement support for catch all email addresses. I use a different mail address per website I register to. Its all on the same domain that is configured to support catch all e-mail. In theory I could use an UUID email adres per website.

In order to proof you are the owner you could send a verification mail to a random mailadres for the given domain.

With the recent revelation of the 500K+ passwords that were scraped from Fortinet VPNs all over the world, it would be of incredible value to be able to check if several deployments were caught up in the breach (by checking a few usernames). Thanks for the great work!

I get email threats saying the email and password is compromised. They even list the password. But this email is not showing up in your list.

We should be told if a hacker can still access our email or paste it. We should be told that once we receive our results,

We all change our pw frequently... it's hoped,

so have a way to grade the leak to "critical" before you update the pw for that breach. but then mark it as rectified after the pw is changed

Since I use a seperate email address for every domain I register for (forum/webshops) I have a fairly good picture of breached sites (currently many forum sites). Is there a way to add/investigate/report these?