There are multiple sources of breach data.
We scrape active dump sites, dark web ransomware, and paste sites. Dump sites appear and disappear at random so often the link to the originating source is short-lived.
We also subscribe to feeds from breach data providers like Breachsense and actively monitor OSINT channels on twitter.