FWIW, I checked the unique address I gave to CAG at haveibeenpwned.com to receive the report that I have been pwned:
Since CAG is the only site that I've given this address, I strongly suspect that CAG is the breached site.
Also FWIW, I give unique addresses to each organisation that wants my email address. Unique addresses that have attracted the current run of p**n spam are associated with LastFM (3 breached sites, no pastes but some of the spam quotes the password I used when I last visited lastfm several years ago) and AVAST anti-virus (2 breached sites, no pastes). I'm really shocked at the last of those.
Edited to add: BTW, the addresses that I give organisations comprise of a prefix, a delimiter, and a suffix -- the prefix denotes the type of organisation, the delimiter is a non alphanumeric character and the suffix uniquely identifies the organisation when looked up in a table of addresses that I keep. So 'dictionary' attacks (such as every name possible @domain) will not work, which implies beyond reasonable doubt that these addresses have been harvested during one or more breaches.