The chances for old email addresses to be listed in a breach is very high. After some decades of use the email address occurs in a breach with a hopefully old password and is used with new passwords currently.
Thus, it would be great if I could test if a specific username – password combination has been listed in a breach. As far as I understand the API this isn’t possible at the moment.
The relating email addresses could be returned after the number of breaches in the api.pwnedpasswords.com return value. This approach has the problem that foreign email addresses are send back to other people.
Therefore, a reverse k-Anonymity model approach could be applied and only the first 5 digits of the email addresses hash should be returned. The hash part could then be compared to hashes of known email address by the client. This would allow the client to identify username – password combinations with the api.pwnedpasswords.com without ever sending passwords and usernames.
Yours, Marcus