See also https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

It provide at least js API that are privacy protecting and can indicate if password is in already leaked password.

That can (and should?) also be triggerd on each login, instead of only when password are set, in case the pwd is leaked after bing set.