This question in the title of this post comes up after pretty much every data breach I load so I thought I'd answer it here once and for all then direct inquisitive Have I been pwned (HIBP) users when confusion ensues in the future. Let me outline a number of different root causes for the "why is my data on a site I never signed up to?" question.
You forgot you signed up
Let's start with the simplest explanation because it's often the correct one - you've simply forgotten you signed up. We leave a huge trail of accounts behind us on the web over the many years we've been online for and there's no doubt whatsoever that most of us (I certainly include myself in that), can't recall exactly what we signed up for a decade ago.
I've had a number of occasions in the past where people have claimed they've received a notification from HIBP and sweared black and blue they never had an account only to then recall they did after I've started troubleshooting what might have gone on. That's just the nature of the web these days in that we spread ourselves around so much that we'll never be able to recall every location we've left our data.
Keep in mind also that we may not have left our data "on the web", it could it have been a physical registration form or that time we provided our info to a hotel then they signed us up for an account with their loyalty program.
Our data is sold and redistributed
Your information is a commodity. A while back I wrote about how your data is collected and commoditised via “free” online services and this showed the way data spreads to various locations after you provide it to somewhere which seems entirely unrelated.
Websites buy your data. Websites redistribute your data. You even agree to this when you accept the terms and conditions of so many different websites (and no, I don't read them either), so it's no surprise that your data spreads so broadly into totally unexpected places.
Sites rename and rebrand themselves
This isn't particularly unusual, especially on the web where companies are frequently "pivoting". They used to do X and it didn't work out so well, now they're going to do Y under a different identity with a different purpose. Y gets hacked and data gets leaked and attributed to them, but you gave your info to X which leads to obvious confusion.
It speaks to the fluid nature of online services and we can all think of many that have come and gone or refocused their attention in different directions. This often becomes apparent when looking at underlying data structures exposed by attacks where the old name still persists with just the veneer of the service changing as far as the public is concerned.
Acquisitions occur
I'll give you a perfect example of this that affected me in a data breach a few years ago. I found one of my work accounts in the Adobe data breach and I was certain I'd never signed it up to them. Upon further reflection, I realised that I'd used that account with Macromedia back in the day when I was using Dreamweaver. Adobe's acquisition of Macromedia now meant that email address was in the Adobe data breach.
I certainly can't keep track of who's buying who and an acquisition of this style can mean your data ends up in entirely unexpected locations.
Other people sign you up
Here's another personal example: in October last year, 000webhost was hacked and their data spread around the web. I loaded it into HIBP and the