For a very small number of breaches, we loaded usernames and phone numbers and enabled searching through the website and API. These breaches did not have email addresses present, thus the only way searching could be achieved was via these attributes. Due to the near ubiquity of email addresses in data breaches and the difficulty of parsing and loading usernames and phone numbers, no further breaches have included these fields.
As of today, website search validation requires an email address and does not accept a username or phone number. The breached account API still accepts all three (username, phone number, and email address) and will continue to do so for the foreseeable future, although it is unlikely that any further non-email address data will be loaded.