Based on the responses to a tweet he posted about the Have I Been Pwnd PHP package he created for PHP (found here), Michelangelo van Dam attempts to clear up how the package works in order to help calm some fears about how it handles passwords.
Yesterday evening I posted a Tweet about improving user entered passwords using Troy Hunt's service Have I Been Pwnd. [...] It went viral over night with many likes and retweets. But I also got a ton of questions regarding the usage and the security of this package. It turns out many people are scared to send passwords over the internet and are afraid to just use a package (like mine) for password checking.
In his post he explains how the password lookup works, sending only the first five characters of the hashed version of the password to the HIBP server (not the plain-text password). He includes a helpful graphic to illustrate the process and includes an example - not directly from the package - of how the request might work. His package makes it much simpler to perform this validation in your application.