The Pwned Passwords API (run by Troy Hunt, same person who does haveibeenpwned.com) contains about half billion passwords (pretty much every breached pasword that ever became known) and provides anonymous password checks. Length writeup here, the short version is that you hash the password and send the first few bytes, and the server returns all password hashes which start with that prefix (a few hundred).
In theory this can be abused by a mailicious service operator: it can have a public and a secret list of common passwords, and only return the public ones for the given prefix. If the user has a very common password it would be on the list and we force them to change it so no harm done; if it's a unique password, sending the first few characters of the hash doesn't help a potential attacker; if it's slightly uncommon but known password (on the secret list but not the private list) then the service operator knows that one of few hundred passwords that start with that hash is in use on some Wikimedia site (and can probably correlate the user account from timing).
So using it is not without risk, but given the service is run by a generally highly regarded security researcher, the risk is probably still smaller than allowing for known-breached passwords because we don't have the capacity to have more than a few hundred thousands items on our bad password list, so maybe it is worth the risk?