Breach Data” is data that is made publicly available by individuals or entities that perpetrate data breaches. While the act of the breach itself is illegal, obtaining and using the data after it has been leaked is both lawful and very useful in OSINT investigations. Most of the company breaches are simply usernames/email addresses and passwords, likely obtained from unsophisticated hacking crews scanning the Internet for unprotected servers left open for external connections.
Sensitive data sets are typically executed by more sophisticated actors and are often hacked government sites or protected data servers; Hacked data sets are routinely uploaded and provided (some free and others paid) to the public on various paste or file storage sites and also to more limited audiences via dark web forums or marketplaces.