For one thing, http://haveibeenpwned.com is Australian, so not subject to US law. It might be illegal to access it in the US, but it's not illegal for it to exist.

It isn't illegal in the US either.

People -- visit the 'dark web' is NOT illegal. Browsing via Tor is perfectly legal. Reading some extortion website is not illegal.

Downloading someone else's ransomwared data -- that starts to become gray.

Preferably use Tor in an isolated VM, you have to assume the Firefox instance is corrupted.

They don’t publish the data itself they just compare a hash of it to a hash of whatever you submit for comparison.

No, you submit your own hashes or partial hashes.

I think donw was talking about the much more gray-area part of HIBP: obtaining the lists of leaked passwords, in order to hash each one and store the hashes.