Good find! And there's a mechanism to not transmit the real password over: https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange (saw it via Password::Policy::Rule::Pwned), still I would prefer inhouse service if site is big and serious enough.