This is a Drupal 8 module that adds a exposed plugin to the D8 Password Policy module.
The plugin uses the Have I Been Pwned Passwords API. To protect privacy, the API uses the k-Anonymity model. A SHA-1 hash of the password is created, only the first 5 characters of the hash are sent to the API. The API response is a list of matching SHA1 hashes representing exposed passwords known to the service. The plugin then checks if the full SHA-1 is in the list, without sending the full hash to the API.