Confirmation e-mail before displaying pwned data
Could you please implement a security feature that would require the email address owner to validate their email details before supplying the complementing pwned report.
This simple feature would make it harder for a malicious actor to identify what security breach data to search when looking for additional personal details that complement a user's email address.
Please note that the above scenario assumes that a malicious actor can acquire a copy of the data that is highlighted in pwned report.
There are many, many very good reasons why that would be infeasible: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/