This site came about after what was, at the time, the largest ever single breach of customer accounts — Adobe. I often did post-breach analysis of user credentials and kept finding the same accounts exposed over and over again, often with the same passwords which then put the victims at further risk of their other accounts being compromised.
The FAQs page goes into a lot more detail, but all the data on this site comes from publicly leaked “breaches” or in other words, personal account data that has been illegally accessed then released into the public domain. Have I been pwned? aggregates it and makes it readily searchable.