I just tried it with my old Gmail account that I no longer use, and it displayed the first two letters of my password. The password was random letters and numbers, 16 characters, so not easily guessable. Seems legit to me :-)
"If you don't like to specify your full email address for any reason, you can replace up to 3 characters with asterisk sign (e.g., for myaccount@gmail.com enter myac*nt@gmail.com), thus we'll show you a count of matches for this pattern. We respect your privacy."
Notwithstanding the questionable reliability of this what is meant by "leaked"? a trove of phished credentials does not really qualify as a "leak".