[CloselyChunky]

From what I can see, this site sends your whole number to the backend to search for a number in the dump[0], while haveibeenpwned.com will hash the input, send only a prefix to the server and receive a list of hashes with the same prefix. If your hash is in the list, you've been pwned, but you can check without leaking your data to HIBP.

Edit: I just checked, seems like the form on the frontpage of HIBP also submits your complete email/phone number. Pretty sure I read about how you don't have to submit your personal data to validate against HIBP, not to long ago...

[0]: https://github.com/Fumaz/haveibeenfacebooked-api/blob/master...

[ultrafez]

haveibeenpwned.com does not use the k-anonymity method that you've described when searching for phone numbers: https://www.troyhunt.com/the-facebook-phone-numbers-are-now-...

[CloselyChunky]

Yeah should have validated that claim first. Seems like the form on hibp.com always submits your input to the server...

Still, if I had to chose between hibf.com and hibp.com, I'd lean to hibp.com since Troy is a known name in the industry and has offered this service for a long time without any complaints.