To an extent, we're all the product on HIBP. The site runs commercial subscriptions, where services pay some nominal fee to find out if its users are reusing a password they used on NeoPets 20 years ago. The site also runs some advertising. Irrespective of how optimised the application is, it has infrastructure and staff costs which need to be paid for in some way.
There's 13bn leaked accounts on the site, and although Hunt does appear to run the site entirely selflessly with little/no profit motive, there is at least some commercialisation of the accounts listed bringing in revenues to cover its costs.
It's free for us because somewhere in the chain, someone is paying for data about us - even if their use-case isn't nefarious.
I own my own domain name, and 28 variations of my email address have appeared in various breaches. In order to search and receive alerts for my domain, i had to sign up for a 16$/mo service.
