Out of curiosity I checked out haveibeenpwned to see if my data was exposed in any breach and it turns out my email was found in 22 breaches. I’m not surprised - I’m probably registered on hundreds, if not thousands, of sites and it’s only a matter of time before some of them get compromised. You should assume that every time you register for a site that data will get leaked and act accordingly - this means using a unique password on every site and, if possible, even obfuscating your email address. For the past year and a half I’ve embraced the approach of assuming my email address is public but investing heavily in strong, secure, and randomly generated passwords that are unique to every site. I’ve also been slowly going through my older registrations and updating the passwords.
It’s not easy going through every registration and updating the password so I’ve prioritized the sites that are important, such as those containing financial or personal identifiable information, and those that do not offer 2FA. The rest, if compromised, wouldn’t give the attacker any more data than my email would so I’m not worrying about them.
This will never get easier so it’s important to both get into better habits going forward and upgrade the security of the existing accounts. The reality is we’re all only a breach away from having to deal with a whole world of pain and investing in security, while miserable, is going to save us from a lot of pain later on. If you haven’t checked out haveibeenpwned give it a shot and be surprised.