Often there are "breaches" which turn out to be hoaxes. On the one hand, having only verified breaches in the system is important in terms of confidence in the data but on the other hand, people still want to know if their email address is circulating in a hoax breach.

This feature would need to indicate that the breach has not been verified and may be a hoax. It's also important that it wouldn't just automatically appear in results returned by the API, rather it could be requested by passing a parameter to the API such as "IncludeUnverifiedBreaches=true" where the default position when the parameter doesn't appear is "false". This would also necessitate returning an additional attribute in the API such as "IsVerified".