> Does it feel like this site is itself a vulnerability? It seems like being able to go type in anybody's email address and just get a list of sites where it was found would be part of an OSINT process.

I think it is a reasonable trade-off. For non-technical people (i.e. ~everyone) it provides a really useful service where you can see if your data has been leaked and what passwords to reset. For bad guys it makes their lives a little easier by creating a quick lookup and potentially knowledge about some leaks they weren't aware of, but ultimately there'd be a dark web version if HIBP didn't exist.

I think there's also a lot of PR value in a site like HIBP. If a non-technical person sees a headline like "400 million customer records leaked by Big Corp" it feels pretty abstract, but if you go and type your email address into HIBP and see a list of companies who have leaked your email address (and most likely some other data) it feels more personal.

I guess the assumption is that bad actors have access to the data anyway so putting such verification process is not deterring any bad actor in any way

This is indeed a part of an OSINT process. Always has been.

Most online criminals will already have this or know how to get it with even the slightest bit of research, so it's not really a big deal in 99% of the cases. I think the net good is better than the net bad by orders of magnitude.

I felt the exact same way. Especially because I saw my email had been registered and leaked by some seedy looking conservative news site full of Trump propaganda. I always knew people could sign others up for junk "malicious subscriptions" and suspected that is what happened when I would get this trash in my inbox, but now seeing that other people can also see it very publicly is disturbing. How are they to know I didn't sign up for this myself? I'd hate to think people were thinking that about me.

EDIT: Seems like https://haveibeenpwned.com/OptOut does the trick.