The majority of my accounts are through a custom domain with a different username for each service. But that also means I don't have HIBP alerts set up for any of them.
Same here. I call them canary email addresses when I have to describe it to someone, so I can tell when that organization loses its data.
For those of us crazy enough to do this, I came up with another type of canary, a "Do they check for compromised passwords?" canary. I have an old password that used to be strong enough for sites I considered low value and was too lazy to break out the password safe. Of course at least one of those low value sites was compromised and that password was leaked.
Now some of the services are high value to others while they remain low value to me. So they have enabled MFA and notifications when someone logs in. Since no one knows the email address I'm using and I've turned on MFA, I feel safe enough leaving that old compromised password in place. I'm waiting for the day they force me to reset it because they bothered to check their customer's existing passwords against compromised ones.
