Is super paranoid use of HaveIBeenPawned password API going to help?

They way I understand HaveIBeenPawned password API is that it’s a safe system because the site “can’t do much with my partial hash even if they wanted to”. But is that really true? Is the following scenario feasible?

  1. My password is thisisnotsecureanymore
  2. It’s SHA1 is 37cbd1e930b737e4bcbd149c2fcaccbe066ce9c4

  3. I submit https://api.pwnedpasswords.com/range/37cbd (no match)

  4. HaveIBeenPawned turns to the dark side and starts recording my IP + request.
  5. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
  6. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
  7. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
  8. Over time HaveIBeenPawned gets more lists and there are 100 new 37cbd entries in it. Mine isn’t in there yet. Periodically they keep trying to brute force with all ~500 entries against login portal at the IP I’m running the API from (although they could probably just check the 100 new ones because if there was a match, I would soon change my password and stop hitting their API. The fact I keep checking is also a singnal for them)
  9. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
  10. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
  11. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
  12. HaveIBeenPawned gets 101st entry 37cbd1e930b737e4bcbd149c2fcaccbe066ce9c4 hash and doesn’t tell me about it.
  13. HaveIBeenPawned goes to my IP address and logs in with the clear text password.

The key to the vulnerability is that I keep coming to check the same hash (revealing that it has some value to me), but because HaveIBeenPawned sits on knowledge that I don’t have (news about my recently leaked password), they can use that against me. It’s a long game requiring patience, but I think it would be effective way to reduce search space.

I have two ideas how to thwart this vulnerability:

  • Use Tor to randomize my IP somewhat
  • Send 100 fake request for each real one. The signal is still in the noise it’s just little bit more burried now .. is it burried enough?
  • Is there a better way?

If your answer, is “HaveIBeenPawned would never do that, If you don’t trust HaveIBeenPawned, then just don’t use them” I already know that. My question is “Can I use HaveIBeenPawned more safely even though I don’t fully trust them”