For what it's worth RE: HIBP, the lookup is never actually done on an email address. If you use the API (https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByR..., or https://api.pwnedpasswords.com/range/3E398 to see the API result), you transmit 5 characters of the SHA1 hash of the email address and check if the full hash is in the list.

This makes it possible to use the API without worrying about user privacy as long as you keep checking the email addresses, even after indicators of compromise. Suppose spam@jeroenhd.nl is in the list is the only email address with 0xABCDE as the start of the hash, and the full hash being 0xABCDE0000; now bizniz@dijonman2.com happens to have the hash 0xABCDE1234. You transmit ABCDE to the backend, but even with the unique five letters of spam@jeroenhd.nl, how can the server possibly know if you're checking spam@jeroenhd.nl (a listed entry) or your own address? The server provides the list of hashes (only 0xABCDE1234) and you verify on your end that 0xABCDE1234≠0xABCDE0000, proving that your email is unlisted.

On average, the returned amount of hashes is claimed to be 381-584. That means that even if your customer is on the list, they're at best one of the ±478 hashes (on average) in the response if they're even listed at all!

The full explanations is here: https://www.troyhunt.com/understanding-have-i-been-pwneds-us..., it's worth a read if you're interested. In practice, I wouldn't worry about your customers' data in this case, because you're not really sending anything identifiable to a third party.

There are less privacy conscious APIs to HIBP, but the range search is probably the easiest and most private way to get the checks done.

All of that said, I use random passwords for every service I use and I'd very much like to opt out of your auto reset system. I'm in favour of adding the feature (more websites should, in my opinion!) but I don't like to be forced to change my already unique password if I don't have to.