Let users use pre-generated hash values to search. Yeah, I know you calculate hashes of typed passwords on a client side, but some people still prefer not to type their password on 3rd party sites.

EG; https://twitter.com/haveibeenpwned/status/1180912324644888576 '87% of addresses were already in @haveibeenpwned'. In this case 87% of the 988k records were already in the DB. I can see the PwnCount, but not the % that was already in the DB, that's the attribute I'd like to be doing some querying on.

Is there an issue with generating API keys right now? I'm unable to get a key receiving an error:
An error occurred while processing your request
The error has been logged and a notification sent.

In the footer, there is the text "A troyhunt.com project" and 3 icons underneath it. These are very hard to see, especially the text. Please increase their contrast with the background

Right now just by providing an e-mail address you can get pastes with plain password for that address. I can see how this can be abused. Could You implement some kind of verification that it's the actual owner of the e-mail? For example, sending an email which leads to a list of pastes where the password was found.

if the email address matches the username, provide associated data elements that have been breached. These could be as follows..
1. plain-text passwords, password hashes associated with the email add.
2. other PII .. address, phone#, IP, etc.

Security teams within larger and less mature enterprises struggle to achieve regular access to new breach info based on the current verification process.

Security.txt was implemented as a standard for disclosures, so it would make sense this would also be leveraged for validating domain searches by security teams. Also, would make accessing new affect users easier for larger international organizations where the DNS registration is non-standard or inaccessible.

Add a date filter to the api/breachedaccount/{account} endpoint.

In this way, we can only query breaches that were added after X date. This is helpful for notifications and reduces the amount of data we retrieve.

This way TXT record can be added automatically at GoDaddy, 123reg, 1&1 IONOS and few others. See https://www.domainconnect.org/dns-providers/

Captcha is grotesequely unfair on people that have learning disabilities and is preventing me from properly using your service.
Find an anti-robot mechanism that doesn't penalise real people with real problems.

Apparently, multi-domain search result for breached email account sets are broken. Maybe only for large result sets?
I did a multi-domain search after the avectis breach notification with over 10.000 of our company and customer emails affected. However, the "Breached email accounts" tab in the excel format was empty. The HTML did not load (result set to big) and the JSON also only included "{"BreachSearchResults":null, ..."
Can you check this please?

In many cases of small businesses, customers know about problems through internal emails much faster than large media. So there should be the possibility to report data breaches with sources. Perhaps with a form and in addition you can forward internal e-mails directly.

Add itsecuity@domain.com as one of the contacting addresses for a domain search as this is a common address these days.

I've been subscribing to the alerts for breaches related to our corporate domain, which is fantastic, but now that we have Splunk in house, I was hoping to connect directly to the API from a forwarder.

It would be great to see a timeline of breaches, and a graph of the total accounts compromised (maybe separately showing the date of breach and when it was discovered/reported). I know that this year has seen a few big breaches disclosed, thanks Yahoo & MySpace, although they date back somewhat.

For example, my parents wouldn't know what to d with this, but I'd like to add them with the option to report to me when they are compromised so I can fix it for them. Ideally, I'd add their emails and they would receive a notice to accept or deny, if they accept I get alerts on them in the future. Can optionally leave sensitive items out of report. I could also see this as helpful for consultants but maybe you could sell that. I'd actually pay for it for my parents too.