Empirical claim from Paweł Pokrywka's 12-year experiment: with roughly 1 in 50 sites leaking user data, anyone holding 50 or more online accounts (newsletters, social media, any form that takes an email) has almost certainly had their data leaked to spammers or criminals. Combined with the 40% of freelancers storing passwords in plaintext (some 'fixing' it with base64), this makes account-breach risk a default assumption.