I read about a "threat intelligence" company on here the other day who got hacked for all their breach data. Not all of it is super public, and none of the public dumps are in a tidy package where you can associate users in one breach with users in another breach. Sorry I couldn't find the name of the company.
But there are more than a handful of "threat intelligence" or OSINT providers. I'll let you Google it for yourself.
> look around at the market for our password breach and identity theft data. There's a brisk, legal trade.
If it is so easy to acquire this data legally, do you want to point to a business from which one can legally purchase "identity theft data"?