Self-experiment methodology: when registering on any site, generate a hard-to-guess email address unique to that site. If spam later arrives on that address, you know exactly which site leaked. Paweł Pokrywka ran this for 12 years over ~800 registrations and identified 15 leakers, including LinkedIn, an 'Indian DNS' service and a vendor of SSL certificates — roughly one in every 50 sites leaks user data.