The headline is pretty self-explanatory so in the interest of time, let me just jump directly into the details of how this all works. There's been huge interest in this incident, and I've seen near-unprecedented traffic to Have I Been Pwned (HIBP) over the last couple of days, let me do my best to explain how I've approached the phone number search feature. Or if you're impatient, you can head over to HIBP right now and search for your number.
I'd never planned to make phone numbers searchable and indeed this User Voice idea sat there for over 5 and a half years without action. My position on this was that it didn't make sense for a bunch of reasons:
Phone numbers appear far less frequently than email addresses
They're much harder to parse out of most data sets (i.e. I can't just regex them out like email addresses)
They very often don't adhere to a consistent format across breaches and countries of origin
Plus, when the whole modus operandi of HIBP is to literally answer that question - Have I Been Pwned? - so long as there are email addresses that can be searched, phone numbers don't add a whole lot of additional value.