I remember seeing the news, years ago, that a guy was trying to discover were spammers were getting his email. So he created a bunch of emails for different things.

Guess which email started receiving spam very quickly? Yeah, the one he used for taxes

I've been doing this for exact 20 years this week. I always use a unique address for each site (pretty easy; I just use a wildcard domain).

Pretty much everything has been leaked: most retailers, software companies, all phpBB forums, wordpress blogs, Experian, Amazon (3P Sellers, not AMZN itself), Dropbox, LinkedIn. The list goes on and on.

Notable exceptions: Google, Microsoft, Apple, IRS.

These days is a lot harder to see leaks, as most egregious spams get filtered even before it hits your server (I use GSuite).

A better option than a wildcard domain with spam filtering is a server where there is zero spam filtering and each unique address goes to a unique folder. Then you have much more opportunity to detect leaks to spammers.

If your objective is to solely detect leaks, then sure, zero spam filtering is the best option.

In my case I'm just trying to live my life in a security conscious way, and detecting breaches is just a byproduct.

And of course the easiest option is to drop all that and just following Troy Hunt's HIBP [1].

[1] https://haveibeenpwned.com/

I remember in the 90s when we thought it was funny to sign people up for every newsletter we could find. You could basically destroy someone's email address making it forever unusable by spending an hour signing up for junk.

I was even able to dos my mail server with a bot that signed up newsletters.

Tax information isn't that harmful, many Nordic countries release it as a public service.

This appears to be a new leak of Experian's Brazilian database, which contains basically everything about everybody.

I think OP's point was that Brazil has always had illegal structures for data exfiltration and so on...

What's the idea behind selling this out in the clear ?

Money.