I'd edit my other reply to this comment but can't anymore.

Here are the columns from the CSV file I've seen being shared around on forums, including the "internal metadata". This mostly boils down to full name on file, email, Stripe customer ID, activity metrics, usernames, and phone numbers. Everything else is largely irrelevant.

id,name,email,email_confirmed,email_confirmation_token,stripe_platform_customer_id,is_global_admin,is_ghost,created_at,anonymous_id,email_bounce_count,photo_url,publisher_agreement_accepted_at,bio,updated_at,profile_set_up_at,tos_accepted_at,email_digest_at,has_passed_captcha,import_confirmation_required,post_notification_preference,reader_installed_at,activity_items_viewed_at,dismissed_ios_app_promo_at,email_notifications_last_resumed_at,previous_name,release_group,handle,phone,bank_payment_failures,is_globally_banned,session_version

This is what I've been saying for years. I really could care less if my passwords were leaked. My phone number, on the other hand, is near-impossible to change. The fact that VoIP/virtual numbers are blacklisted from use almost everywhere doesn't help anything, because otherwise I would just use a ton of cheap rented numbers.

The same goes for full names on file, physical addresses, and other hard-to-change information. Passwords have been the least of my concerns since password managers were invented.

You could, in theory, use a custom domain or email aliasing service like SimpleLogin or Addy to combat the email address issue, though websites like GitHub have been known to block emails created with an aliasing service. I could go on about why that move does next to nothing to combat actual abuse; any spammer worth their salt can just buy a bunch of Gmail accounts or Outlook accounts instead.

Phone numbers are kinda concerning given their popularity as 2FA. A phone number is now basically your shared password for everything. It's also semi public, hard to change and you are basically one SIM swap attack away from a full compromise.