[mkl]

It's hard to distinguish between leaking and selling, but I think leaking is much more common. Dropbox famously leaked a lot of emails in ~2012, including mine - I was never a paying customer and that put me off becoming one or using them (to this day most spam sent to my domain is to that Dropbox address). Two local PC parts companies leaked or sold my email. I confronted one about it and they claimed they hadn't had a data breach, so either they sold it, or they were too incompetent to know they'd been hacked, or they lied - I suspect incompetence but whatever happened they lost my business. A couple more incidents long ago too.

Real estate agents can be pretty aggressive with emailing, but IME respect unsubscribes and don't seem to share/leak emails. I kind of wish I'd used an address per agent instead of per company to see what was happening better.

Non-company uses can also reveal issues. I had an address scraped from a flatmate finding site, and one apparently lifted from a relative's contact list somehow (I only have one I use for family, so that was a concern, but spam to it petered out quickly).