@0xF21D As bad as the optics are on this one, they're doing the moral equivalent of https://github.com/DivineOmega/password_exposed

They aren't storing people's passwords for their analysis, they queried the HIBP API with the first 5 hexits from the SHA1 hash of the user's password then check if the full SHA1 hash is returned. If it is, they report that it's compromised. If it isn't, they report that it isn't.

Is it alarming that they're in a position to do this for all the websites they protect? Oh, absolutely.

But CloudFlare was always MitM as a Service (the Service being "DDoS mitigation"). That's one reason why it's so actively distrusted.