They should really accept a hash of your email/username to lookup. Then we can an idea of if we've been pwned without giving additional information if we haven't been.
I'm not sure how that would help. They would have to generate a matching hash on their end, giving them a lookup table to work backwards from hash to email address.
Now if they wanted to supply a list of hashes to the public, then you could check your own without knowing any of the other addresses used to generate the remaining hashes.
Yes, but they would already have your e-mail address anyway. Lookup by hash precludes the case where you're giving them information they didn't already have.
True. I was more referring to it being a confirmation that this is an email address that anyone cares about.
If I wanted to be truly malicious I'd have my online checker return a "Nope, you're all good" and then add that email address to the short list of accounts to go after.
