Your password is SHA-1 hashed in the browser, then only the first 5 characters of the hash are sent to Have I Been Pwned's k-anonymity API. HIBP returns all hashes starting with those 5 characters; the full match is compared locally. Your plaintext password never leaves your browser. See the walkthrough for the full workflow and the separate guidance on checking your email address for historical breaches.