> Get a password manager, use strong and unique passwords
That's more like the overall "mission" of Have I Been Pwned, convince people to do that. It's not a particular actionable suggestion that receivers of the alert email can perform (because, albeit here we're discussing the blog post, actually this has been emailed as a Breach Alert to all HIBP subscribers)
To be fair, this promises to be a service that alerts you when your accounts get compromised, and that's 100% what they have done. But in past similar emails, they also contained actionable advise, such as "go to example.com and change your password", which here is missing, so I guess users are left wondering what they can do apart from either ignoring the breach or changing absolutely all their passwords just in case any of them was leaked, or munging on their own the provided TXT listings (which most won't do).
"Use strong and unique passwords" is a good practice, but it's not really actionable in response to these breaches.
How many normies without password managers remember every site where they created an account in the last five years? Even if they start using strong and unique passwords now, they won't go back and change passwords in services they've forgotten.
All I know from Cit0Day is that my account was breached in one or more of 23000+ sites. I can't tell which one(s), so it's not actionable.
Troy runs haveibeenpwned as a free public service, so it's not right to ask him to do more than he already has. But to be actionable, each email in the Cit0Day dump could be associated to the individual sites so users would know where they'd been pwned.
