False data-breach positive on a password

I sent an invite link to a friend who generated a 16-character unique password for tildes, and was greeted with the error "This password has been used in a data breach".

He sent me the password and I verified and reproduced the issue. I also verified the password does not show up on https://haveibeenpwned.com/Passwords -- it's green.

I don't want to paste the password as plaintext here because that could compromise the ability to actually debug this (if it gets scraped and does end up on HIBP, heh). So I've base64-encoded it:

dUVHTll1Q0d iTjlLRldnTA== (uE...WgL, md5 a0fc6a46c6123a2a2e942fdb0cfc0318)