The signatures would appear in the drop . A primitive version would be file meta data or jfif. Even the images themselves or steganography could be used
I guess, but it seems a bit like a solution that only works for this specific dump - most db breaches don't have photos in them.
My bigger concern though is how you translate that into discovering such breaches. Are you just googling for your token once a day? This breach was fairly public but lots of breaches are either sold or shared privately. By the time its public enough to show up in a google search usually everyone already knows the who and what of the breach. I think it would be unusual for the contents of the breach to be publicly shared without identifying where the contents came from.
There is no indication that this particular breach was ever on the "dark web" before widely being discovered.
Yes dark web scanners are a thing, but just because something exists does not mean it would work for a specific situation. I'm doubtful they would work most of the time.
