Sexploitation with actual password not found in leaks

I have received one of those typical sexploitation scams (“drive-by exploit”, filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don’t even remember where I used it), but searching the password on HaveIBeenPwned returns nothing (I have previously been notified of two leaks, Last.FM and MyFitnessPal, but those accounts use different passwords).

That got me wondering: since this seems to be a rather old password, how complete are databases like HaveIBeenPwned, and where could I report such a new exploit, other than the authorities?