This question in the title of this post comes up after pretty much every data breach I load so I thought I'd answer it here once and for all then direct inquisitive Have I been pwned (HIBP) users when confusion ensues in the future. Let me outline a number of different root causes for the "why is my data on a site I never signed up to?" question.
You forgot you signed up
Let's start with the simplest explanation because it's often the correct one - you've simply forgotten you signed up. We leave a huge trail of accounts behind us on the web over the many years we've been online for and there's no doubt whatsoever that most of us (I certainly include myself in that), can't recall exactly what we signed up for a decade ago.
I've had a number of occasions in the past where people have claimed they've received a notification from HIBP and sweared black and blue they never had an account only to then recall they did after I've started troubleshooting what might have gone on. That's just the nature of the web these days in that we spread ourselves around so much that we'll never be able to recall every location we've left our data.
Keep in mind also that we may not have left our data "on the web", it could it have been a physical registration form or that time we provided our info to a hotel then they signed us up for an account with their loyalty program.
Our data is sold and redistributed
Your information is a commodity. A while back I wrote about how your data is collected and commoditised via “free” online services and this showed the way data spreads to various locations after you provide it to somewhere which seems entirely unrelated.
Websites buy your data. Websites redistribute your data. You even agree to this when you accept the terms and conditions of so many different websites (and no, I don't read them either), so it's no surprise that your data spreads so broadly into totally unexpected places.
Sites rename and rebrand themselves
This isn't particularly unusual, especially on the web where companies are frequently "pivoting". They used to do X and it didn't work out so well, now they're going to do Y under a different identity with a different purpose. Y gets hacked and data gets leaked and attributed to them, but you gave your info to X which leads to obvious confusion.
It speaks to the fluid nature of online services and we can all think of many that have come and gone or refocused their attention in different directions. This often becomes apparent when looking at underlying data structures exposed by attacks where the old name still persists with just the veneer of the service changing as far as the public is concerned.
I'll give you a perfect example of this that affected me in a data breach a few years ago. I found one of my work accounts in the Adobe data breach and I was certain I'd never signed it up to them. Upon further reflection, I realised that I'd used that account with Macromedia back in the day when I was using Dreamweaver. Adobe's acquisition of Macromedia now meant that email address was in the Adobe data breach.
I certainly can't keep track of who's buying who and an acquisition of this style can mean your data ends up in entirely unexpected locations.
Other people sign you up
Here's another personal example: in October last year, 000webhost was hacked and their data spread around the web. I loaded it into HIBP and then... I got a personal breach notification. This was entirely unexpected as I didn't have an account with them, at least I thought I didn't.
Being curious, I went to the 000webhost site and requested a password reset for my email address. I logged on and found it was managing someone else's website. On the face of it, the root cause appears to have been someone "fat-fingering" the email address when signing up and entering mine instead of another very similar one. Because 000webhost never had subscribers verify their address before attaching a valuable asset like a website to it (tip for web developers - do this!), I was now in control of someone else's site.
There are many "Barack Obama" entries in Ashley Madison. Now I'm going to go out on a limb here and suggest that POTUS wasn't signing up to an adultery website in the first place and if he was, he wouldn't be using his own name! The point is that anyone can sign up to almost any website with any name and any email address - including yours.
It can be a little disconcerting when you can't work out why your data is appearing in a certain location, indeed that's part of the value proposition of HIBP as you can track the occurrence of many of these incidents. I put a lot of effort into verifying the legitimacy of data breaches so there shouldn't be false positives and if ever I'm not sure about the legitimacy of the incident, I flag it as "unverified" and make it crystal, crystal clear.
As I've said above, this is now just the nature of the web in that we end up with our personal data scattered far and wide, often beyond the scope of what we intended it to be. Hopefully, HIBP can help you surface that information, but don't surprised if you find yourself in entirely unexpected locations.