But I'm saying it should be possible to view the source of the password, not the password itself. Which is what his site already shows for individual breaches.
Are you saying that's the risk of providing the website URL? Or that it's the risk of the HIBP?
Because he does provide the email and the leak name... He even provide indirectly where to download it from his blogpost.
Providing the website won't give more dangerous information, that's exactly what he usually does when it's not a stuffing list, he say where the password come from (Linkedin, Facebook, etc...).
