[Ciunkos]

Just assume every form on the Internet is being constantly filled with leaked or stolen data.

I am pretty sure they (the pissed of recipients) have never even visited your site. Their emails had been submitted by persistent fraud groups hammering every possible input 24/7 for their scam and spam ops. I observe such behavior on our apps and sites, even those that you would assume no one is even aware of.

Cloudflare’s Turnstile will help you block 90% of such threats, and the final solution is to double-confirm the subscription - this way you can be pretty sure subscribers are there willingly and have not been put in by crooks.

Nowadays, I would even ditch the email input and force “Subscribe with Google/Apple/xyz” via Oauth to completely mitigate this broken unauthorized newsletter subscription flow.