Brute-force attack occurs when a hacker attempts to guess a user's login password with leaked passwords list, while this program is using api to check if and how many times your password has been leaked.
The API absorbs the first 5 characters of your hashed password, in upper case, and then return a list of leaked passwords(also in hash and upper case form, but removed the first 5 characters).