[Ileca]

>Hacked sites, on the other hand, might not be too thrilled about a feature that will shame them about their previous lax security.

A simple flag doesn't reflect the quality of the security. You might not have a flag with terrible security simply because no one cared until now when a website might have invested tremendous efforts in security and meet doom because hackers were numerous, obstinate and smarter. Security is a difficult matter and doesn't make you "lax" because of a breach. I hope the plugin will be descriptive because I don't see that in the readme.

I would be more or equally interested by a plugin shaming websites who store passwords in plain text, restrict characters to 20, prevent you from using nothing else than letters and digits, etc. You could use pwned db to gather intel on the actual level of security of a website and flag them if they use outdated hash algorithms or other bad password storage practice. That would be more objective and force websites to fix their crap.