Nerdy leaked passwords:
Treebeard - “This password has been seen 1,207 times before in data breaches!”
NedStark - 20 times
CerseiLannister - 30 times
youknownothingjonsnow - 61 times
PicardIsSexy - 0 times (!The_Picard_Maneuver@piefed.world you’re safe. ;)
edit:
Gandalf1 - 53,478
Gandalfthewhite - 51
sexygandalf - 6
NSFW leaked passwords:
spoiler
bigdick - 178,712 (!?!)
bigpussy - 9,226
longpussy - 26
longdick - 10,762
wetpussy - 61,575
wetdick - 579
twat - 6,588
dickhead - 201,942
Blueballs69 - 520
Weird leaked passwords:
BillClinton - 378
DonaldTrump123 - 792
youwillneverguessmypassword - 390
redgreenblue - 2,040
123qweasdzxc - 1,010,515
poopstick - 6,845
((More to come later))
I suppose they use JavaScript to hash your password locally so all haveibeenpwned has is your hash.
It’s certainly not full proof but it means a simple MITM attack wouldn’t be that bad.
The risk would be that the JavaScript in question would be compromised for the whole service. Also if the machine of the user is already compromised well I would argue that password is already useless anyway. If someone has a keylogger on your system, ihavebeenpwnd would be the least of your concern.
So it’s never foolproof but some risk can be mitigated.
Hashes are a powerful tool enabling easy check of leaks without exposing directly any user password.
Edit: Hmm there is much better explanations than mine on hashes on here, probably disregard the above comment.