1,657 votesAnonymous commented
I think handling of these is important. I've actually used various iterations of a Gmail email address with different period placement to give the appearance of unique email addresses. This is usually for opting out of sites that publish my information using multiple versions of my name (such as whitepages.com, peoplesmart.com, etc.) where they often only accept one opt out request for an email.
An easy solution to the problem of periods used or not used at any location in a username would be to simply do a use do a comparison of email addresses without any periods. In other words, if replace(SearchedUsername,".","")=replace(PwnedUserName,".","") then there is a match. This could be implemented such that it applies automatically to email domains known to support this (such as gmail.com), and otherwise only when the option is checked by the user. That way, you're not checking every possible iteration. It might be more efficient to have a second field in the database for a "period-less" email username, but the trade-off would of course be more storage.
Similarly, the + system could be implemented in a similar way, where the plus and everything after are stripped off for searching purposes. I've never used that system, but have been looking at it recently. It seems to me that, in most cases, the + tag is not really needed, as the sites the email was used on should often bring that into context. But, as another user suggested, you could also allow searching of the + tags as well simply so a user who received a positive result on their base email username could then check using specific tags they use.