The chances for old email addresses to be listed in a breach is very high. After some decades of use the email address occurs in a breach with a hopefully old password and is used with new passwords currently.
Thus, it would be great if I could test if a specific username – password combination has been listed in a breach. As far as I understand the API this isn’t possible at the moment.
The relating email addresses could be returned after the number of breaches in the api.pwnedpasswords.com return value. This approach has the problem that foreign email addresses are send back to other people.
Therefore, a reverse k-Anonymity model approach could be applied and only the first 5 digits of the email addresses hash should be returned. The hash part could then be compared to hashes of known email address by the client. This would allow the client to identify username – password combinations with the api.pwnedpasswords.com without ever sending passwords and usernames.
Yours, Marcus

TL;DR: Make domain-level notification (1) more obvious to find and (2) more salient in the registration form.

Feature not advertised in top bar labels

• "Home" promises e-mail one-time search,
• "Notify me" promises e-mail notification, not registration
• "Domain search" promises, well, one-time domain search.

I suggest you add either a separate label on top bar with a separate form. Or change existing "Domain search" into "Domain search+notification" (yes, it's longer, so see other suggestion below).

Feature not recognizable when found

On https://haveibeenpwned.com/DomainSearch there is only one salient title "Domain search / Search for pwned accounts across an entire domain". No title about "notification".

I suggest you, on https://haveibeenpwned.com/DomainSearch form:

• to add between the "Domain name" entry box and the "Would you like..." another sub-title (h1, h2, whatever) reading "Notify me domain-wide" or similar.
• to change the checkbox label to at least include the word "notification" or "notify", like "Subscribe me for domain-wide notification".

This would make the feature easier to find, which will improve your interesting service.

Thank you.

Nice, now I know that my mail-address was included in the Exploit.In and Adobe breach. But the Exploit.In breach does not hint any clue whether we talk about the same service (=Adobe) or not. I can understand that you cannot mail me a password. After all you don't know me. I might as well be an imposter. But it would be cool if you could internally setup your database such that it outputs whether the password in an amalgamated-list-breach that did not specify a service like Exploit.In was identical to the one in another breach like the Adobe breach. That would allow me and other users to assess the damage much better and take action. So the output I would wish for should look as follows:

Credentials associated with your email appeared N times in this list. 1 entry matched information leaked through >link< XYZ breach. 1 entry matched information leaked through >link< XYZ breach. .... and so on.

Spamgourmet.com allows a user to create disposable email addresses on the fly. That way a unique email address can be used for each web site you sign up for. The structure of an address is identifier[.##].username@spamgourmet.com, where the identifier can change per site and [.##] is an optional max number of emails you want to receive. Because a different address is used for each site it is currently impossible to query HIBP for breaches of all sub-addresses, like *.username@spamgourmet.com. Allowing wildcard search and notification for spamgourmet addresses (or its many alias domains) would enable users to check on any of their disposable addresses.

A lot of people use a syntax such as troyhunt+foo@hotmail.com where foo is a unique identifier for the site. They do this so that if they begin getting spammed, they can identify the source their email came from.

At the moment, HIBP treats this is a totally unique email address so if I've search for the parent email address without the "+" syntax, it won't be found. This idea is to ensure that searches and notifications recognise the syntax and return addresses that are logically still the same account.

One thing HIBP would also need to do is specify which account alias was in the breach or paste. For example, I would want to know that it was troyhunt+bar@hotmail.com that was exposed in the XYZ breach.

Edit: Just to put the value of this into context, I've just run some stats on the Adobe breach. Of the the 152,989,508 rows in the dump, only 49,905 email addresses have a "+" in the address so that's 0.03% of entries. That number is also a bit high as it includes junk entries. I'm definitely not ruling this idea out - it's still planned - I just wanted to give a sense of how useful it would be.

Edit: To add to this idea, Robert's comment about a period in the email is also very valid. I'd want to be very clear about the ubiquity of this practice across mail providers, but it's certainly a good suggestion and worth further investigation.