Various darknet fora. Certainly nowhere on clearnet. There are search engines that deal with such things though I'll bet there's a 99:1 ratio of scam to legit. I have no idea how someone world go about validating what they saw.
1. confirming the emails were not already listed in other databases / leaks;
2. going to the actual Discord platform and performing a "Forgot Password" request, entering a stolen email, and seeing if it goes through or not, as Discord confirms if an email exists or not during this flow;
3. contacting Discord.io directly, who confirmed & put out a statement.
Other data breaches are harder to verify. Troy Hunt (owner of haveibeenpwned.com) described this in far more interesting ways than I ever could[0], but for each breach, it varies.
Until recently, every time a story was run about a leak being "for sale on the dark web", you could visit raid forums or breach forums, both clearnet sites, and note that's where it's for sale.
Validation is likely tied to reputation - such as by showing a sample to an established moderator / community member and them vouching that the data seems real.
