The haveibeenpwned API uses a k-anonymity model, so that the client can check a password in an efficient fashion (ie. without downloading the entire list of pwned hashes), without also revealing the hash you're trying to check.
Basically, it asks for all pwned hashes that start with the same 5 characters as your password's (hex-encoded) hash. So yes, there is an information leak (the first 5 characters of your hash), but it's an extremely unimportant one. Even knowing the first 5 characters, there's still 2^140 possible hashes it could be. And of course they would then need a pre-image attack on SHA1 to deduce your actual password from that.
Basically, it asks for all pwned hashes that start with the same 5 characters as your password's (hex-encoded) hash. So yes, there is an information leak (the first 5 characters of your hash), but it's an extremely unimportant one. Even knowing the first 5 characters, there's still 2^140 possible hashes it could be. And of course they would then need a pre-image attack on SHA1 to deduce your actual password from that.
More detail here: https://www.troyhunt.com/were-baking-have-i-been-pwned-into-...
Finally, I'm sure this option will be possible to disable, probably in settings but certainly in about:config.