I guess, but it seems a bit like a solution that only works for this specific dump - most db breaches don't have photos in them.

My bigger concern though is how you translate that into discovering such breaches. Are you just googling for your token once a day? This breach was fairly public but lots of breaches are either sold or shared privately. By the time its public enough to show up in a google search usually everyone already knows the who and what of the breach. I think it would be unusual for the contents of the breach to be publicly shared without identifying where the contents came from.

▲

tonymet 4 days ago | parent [-]

dark web scanning is common. the developers would be notified when those signatures appear in dark web indexes .

jfif is just an example. any file format or metadata could be used as a signature depending on the storage type.

	▲	bawolff 2 days ago \| parent [-]
		There is no indication that this particular breach was ever on the "dark web" before widely being discovered. Yes dark web scanners are a thing, but just because something exists does not mean it would work for a specific situation. I'm doubtful they would work most of the time.