@cR0w Mishandling the data is surely a concern, but I don't think this particular case is an indicator of such misuse:
HIBP API is anonymized in the first place. They must already have an "even more" anonymized yes/no signal from their detection service (whether it's using the anon API or a full HIBP copy), and at CF's scale I don't think anyone wants to receive all the non-anonymized request fragments for perf/bandwidth reasons alone.
Sure there may be an evil team at CF who secretly look at creds, but this stat is not an evidence of that.