The k-anonymity API makes it such that the password doesn't have to be sent to HIBP, but the first 5 characters of its SHA1 hash.

This returns a list of possible suffixes which can be checked for the actual password to see how many have been breached.

For example, a search for "abc" with the hash "a9993e3...89d" becomes:

`curl -s https://api.pwnedpasswords.com/range/A9993 | grep -i e364706816aba3e25717850c26c9cd0d89d`

which returns `E364706816ABA3E25717850C26C9CD0D89D:226273` indicating that the password has been seen 226,273 times