The Pwned Passwords API, a part of Troy Hunt's Have I Been Pwned service, has introduced padding in its responses to protect against potential attack vectors that use passive analysis of response sizes. By passing the "Add-Padding" header with a value of "true", users can request padded API responses. The padding consists of randomly generated hash suffixes with usage count set to "0". This feature is expected to be mandatory in the future, once clients have had time to update their implementations.