"This site will leak your password to everyone unless you donate Bitcoin Someone has built a malicious copycat of the popular breach database Have I Been Pwned that will reveal your password in plaintext – unless you pay up a cryptocurrency ransom in Bitcoin, Ethereum, Bitcoin Cash, or Litecoin. Just like Have I Been Pwned, the malicious copycat will let you check whether your associated email address has been breached in the past. The disturbing part is that it will also display leaked passwords of such compromised accounts. The website then asks users for a one-off $10 donation in cryptocurrency to hide the passwords..." https://hardfork.thenextweb.com/hardfork/2018/04/12/bitcoin-password-leak-cryptocurrency
I have checked an old password after I recently changed it to see if it was pwned but I would never enter a current password into one of those sites.
IIRC you enter an email address, not a PW. The authentic site does not give hacked PW's per se. It tells you if your info was subject to exposure and the particular breache(es) in which that may have happened.
It could be, that's why I only checked a couple of old passwords that I had already changed. One was an old password for this site, it said that password was pwned. This is the site. https://haveibeenpwned.com/Passwords They say they have half a billion pwned passwords accumulated from data breaches and you can check your password to see if it is one of them.
You could directly use the password lookup API: https://api.pwnedpasswords.com/range/##### (Where ##### is the first 5 hex digits of the SHA1 password hash) This returns a list of all hashes int the database that start with those characters plus the number of occurrences. Since you only send part of your password hash, a malicious website would be pointless.
