Same here. I have (at the last count) over 200 website/service specific email aliases. I very rarely use an alias for more than one service. However when I do start getting spam on that alias, and I contact the website concerned they always state it's my fault. My response? If I can, I stop using that website or service.

My dropbox alias email started getting loads of spam about 2 years ago, I immediately junked that account, and set-up a new dropbox account (friends insist on sharing stuff over it...) - my old spammy dropbox alias is in the Dropbox leaked dump, my new current one isn't, which proves that this dump of credentials is from at least before 2015.

Is it necessarily service's fault? Could the e-mail address have been intercepted when some confirmation e-mail was being delivered? Not likely, I agree, but still...