This feels a lot like email providers assuming that if you're running your own mail server, you must be spamming people.
This depends on the lack of use of good tools like FF's relay to anonymize accounts. I mean, HIBP is great, but Troy is self-consciously not interested in handling subaddressing, which would improve his service and its (mis)use in detecting "humanness".
> but Troy is self-consciously not interested in handling subaddressing, which would improve his service
I don't think Troy is not interested in handling subadressing in the general sense, I think he just dismisses it as "not worth the time" given current statistics.
If it is worth the time and you were writing one of these "Pwned or Bot" "email credit score" detectors, it is easy: you could easily strip +whatever before an @ and check if that exists as well. (Check both!)
> which would improve his service
It's not actually his service he's talking about in this particular article. He doesn't run an explicit "Pwned or Bot" "email credit score" service. He's pointing out it is an interesting use of the HIBP API and also to do it right it needs some sort of value add/scoring system, which he hints at ways to do that but does not provide one (and especially not as a service).
HIBP itself doesn't support subaddressing as a feature, but that's on purpose for a different reason: many of the people that use subaddressing, especially consistent users, use HIBP to narrow down specific account threats and it is useful to them today that HIBP tracks all of their subaddresses independently.
This depends on the lack of use of good tools like FF's relay to anonymize accounts. I mean, HIBP is great, but Troy is self-consciously not interested in handling subaddressing, which would improve his service and its (mis)use in detecting "humanness".