[leoxiong]

> If an email address hasn't been seen in a data breach before, it may be a newly created one especially for the purpose of gaming your system.

I’ve started using iCloud Hide My Email which generates a random email that forwards to my account email. This assumption is going to cause issues.

[thih9]

Next sentence addresses that:

> (…) or even using a masked email address service such as the one 1Password provides through Fastmail. Absence of an email address in HIBP is not evidence of possible fraud, that's merely one possible explanation.

[yuliyp]

It can, but that's kind of the nature of anti-spam systems these days. Come in on a Tor IP with a randomly-generated burner e-mail with a Curl user-agent and you're gonna get blocked from almost anything that spammers have an interest in. Come in on the e-mail address, aged cookies, and a geolocation associated with your credit card for years and you're gonna be fine. Do things in the middle and expect some amount of false positives.