k-Anonymity is not particularly clever. Every time you use a cryptographic hash to look something up you have a tradeoff around the length of the hash.
A long hash will identify your password very precisely.
A very short hash e.g. down to 1 byte will have so many matches to be useless.
Cloudflare chose:
> For example; the Hash Prefix 21BD1 contains 475 seemingly unrelated passwords, including:
...and this allows attackers to easily create a list of short hashes of common passwords and try them against matching accounts, as they point out:
> It is important to note that where a user's password is already breached, an API call for a specific range of breached passwords can reduce the search candidates used in a brute-force attack
It's clever in the way that if your password does not appear in the dataset the service doesn't have much information (or really any information that could be used to get your password).
A long hash will identify your password very precisely.
A very short hash e.g. down to 1 byte will have so many matches to be useless.
Cloudflare chose:
> For example; the Hash Prefix 21BD1 contains 475 seemingly unrelated passwords, including:
...and this allows attackers to easily create a list of short hashes of common passwords and try them against matching accounts, as they point out:
> It is important to note that where a user's password is already breached, an API call for a specific range of breached passwords can reduce the search candidates used in a brute-force attack