I checked it and as you said, whenever it can’t find the username or email in the DB it’ll 404.
Fixed by being less lazy and handling 404s myself, API works great now.
What I did (Future ref for Delphi/Pascal devs):

HTTPClient := TIdHTTP.Create(nil);

try
  HTTPClient.Request.UserAgent := 'Mozilla/5.0 (compatible; <App name>/<Version>; Windows NT 6.0;)';
  HTTPClient.ConnectTimeout    := 7000; // 7 seconds, just to be sure
  HTTPClient.ReadTimeout       := 5000; // 5 seconds as mashape can have a delay from time to time
  HTTPClient.Request.CustomHeaders.AddValue('X-Mashape-Key', '<API key>');
  HTTPClient.Request.CustomHeaders.AddValue('Accept', 'application/json');
  HTTPClient.HTTPOptions := HTTPClient.HTTPOptions + [hoNoProtocolErrorException]; // Indy should not handle protocol exceptions

  try
    try
      JSONStr := HTTPClient.Get('https://troyhunt-have-i-been-pwned.p.mashape.com/v2/breachedaccount/' + URLSafeText);
    except
      on E: EIdHTTPProtocolException do
      begin
        if E.ErrorCode = 404 then // The API couldn't fine a breach
        begin
          WriteLn('No breaches found');
          Exit;
        end else // Something went horribly wrong
        begin
          WriteLn('API derped' + sLineBreak + 'Message: ' + E.Message);
          Exit;
        end;
      end;
    end;

    { Add your JSON stuff here }

  except
    on E: Exception do // If anything else goes wrong, raise a proper exception.
      raise Exception.Create('Error: ' + E.Message);
  end;
finally
  FreeAndNil(HTTPClient);
end;

Edit: I also noticed I made a slight mistake when cropping the string. (Removed 2 chars too much, whoops)
It basically sent ‘st@test.com’ instead of ‘test@test.com’

Not too sure about the Mashape side of things, but this works perfectly: https://haveibeenpwned.com/api/v2/breachedaccount/test@test.com

Well, for ‘test’ and ‘example’ I get a 200
Whenever I use test@test.com it throws a 404.

I do use Delphi, though. But that shouldn’t be an issue.
I mean, the code is a bit messy but…

HTTPClient := TIdHTTP.Create(nil);

try
  HTTPClient.Request.UserAgent := 'Mozilla/5.0 (compatible; DOSBot/0.1a; Windows NT 6.0;)'; // Funny name as it's an IRC bot for HackThis
  HTTPClient.ConnectTimeout    := 7000;
  HTTPClient.ReadTimeout       := 5000;
  HTTPClient.Request.CustomHeaders.AddValue('X-Mashape-Key', '<API key here>');
  HTTPClient.Request.CustomHeaders.AddValue('Accept', 'application/json');

  try
    NormalText := HTTPEncode(aMessage.Substring(6));
    try
      JSONStr := HTTPClient.Get('https://troyhunt-have-i-been-pwned.p.mashape.com/v2/breachedaccount/' + NormalText);
    except
      on E: EIdHTTPProtocolException do
      begin
        MessageLog.Lines.add('API derped');
        MainIRCSocket.Say(aTarget, 'API derped');
        Exit;
      end;
    end;
    . . . // SNIP
  except
    on E: Exception do
      raise Exception.Create('Error: ' + E.Message);
  end;
finally
  FreeAndNil(HTTPClient);
end;

I’m seeing 200 on the test endpoint, which account are you testing it with? You’ll see 404 if the account doesn’t exist in HIBP which is the correct semantic HTTP response.