user submission of phish mails that charge bitcoin ransom by putting old password in subject
i got yet another mail with the same template of putting one of my previously used passwords that have been potentially obtained from one or more breaches.
there has to be a secure process that hibp can build for users if they can responsibly reset all the site logins where that password is used and maybe make hibp aware that there are breaches from where these credentials are obtained and perhaps get a way to be alerted to. user may take a decision if they want to continue with the service that was breached, regardless of changing the password.
I definitely don’t want to end up in a position where HIBP has the power to reset people’s passwords. If I’ve misunderstood and you’re talking about flagging potential breaches instead, vote for this idea: https://haveibeenpwned.uservoice.com/admin/v3/ideas/34782007/