[zaroth]

> 1Password tells you...

This is software acting as an agent of the effected user. 1Password could be authorized by the email holder to gain access to the API without making the information public.

> Other websites won't allow you to use...

This and the following example in your comment are discussing the breached password API, which is a completely different API that I specifically mentioned up-front as not compromising any PII.

I take zero issue with providing an API to see counts of how many times a password has shown up on breach lists, although I wouldn't use the API myself on any of my own passwords, because it leaks a 1-in-1-million discriminator to the actual password you are querying.

[diminoten]

You don't get to take issue with any of this. Your information was already stolen! You have no say, the end.

[jtbayly]

So your fallback position is that it is perfectly legitimate to traffic in stolen PII. Got it.

Well, I take issue with that.

[diminoten]

Yes, in some cases it's perfectly legitimate to "traffic" (terrible word choice) in stolen PII, that is correct.

And my "fallback" position is that it's better this way than the other way, where it's actually being trafficked, rather than your hyperbolic assertion that it is now.