Using a unique, hard-to-guess email address per site makes data leaks visible: any spam on that alias pinpoints the leaking site. Paweł Pokrywka's 12-year experiment over ~800 sites found 15 leakers (≈1 in 50), including LinkedIn, an Indian DNS provider and an SSL-certificate vendor.