[themingus]

I was disappointed to discover that https://haveibeenpwned.com does not report an email as pwned if it is subaddressed/plus addressed. myemail@gmail.com is reported as still safe, but myemail+archive@gmail.com is pwned. I wonder if my email has been leaked by any other websites without me knowing.

[TonyTrapp]

I don't think they can do that, because they do not store plaintext addresses in their database, merely hashes. It certainly reduces the impact of someone hacking HIBP.