We are keen for your feedback and experience using this tool, as well as any tips and advice you would give the wider community. Many thanks.
When I receive a Have I Been Pwned alert, I parse through the users, eliminate those that no longer exist, then notify the users with advice about password reuse and 2-FA.
I log this to our Security Audit repository so we can easily report to auditors action we have taken.
Depending on the year of the reported breach, I’ll run a query to find the date password was last set.
If pwd reset occurred one or more times since the breach, I do not require the user to reset the password.
However, I always send a short (so they will actually read the message) communication with the advice I mentioned above: password reuse and 2-FA.