[yjftsjthsd-h]

Obvious next concern: Will bad actors just scrape the website? Putting authentication and payments in front of that rather defeats the entire point, and without that you're back to rate limiting which is exactly what has just been declared as a failed approach.

[abathur]

Probably.

But you can justify a significantly more restrictive rate limit for a website form intended for individual mortal humans to check their own personal email addresses for breaches.

The API has to support request frequencies for legitimate usage that are obviously exploitable at a sufficiently small scale to attract a few exploiters...

[ec109685]

Or scrape websites that provide a proxy to the API (e.g. the cloudflare worker he described).

[lightedman]

"Will bad actors just scrape the website?"

That's already been happening. Many simply use HIBP as a starting point to pwning someone's online accounts. Now, Troy is just going to attempt to really profit off of the actions of those bad actors.