I've seen a lot of people doing this. Maybe we should have a public database of what company sold emails to who that everyone who did this can contribute to, with some kind of proof required.
That's a great idea. I do the same thing as the parent poster, and I've seen lots of email addresses compromised. If it's one that I care about, I will contact the company. (Last time it was Tektronix, before that it was Roku.) They usually deny that it could have been on their end, which is BS because nobody besides them ever had the email address (assuming I wasn't hacked locally). The most common scenario is the insider threat. Some low-paid IT person with access to their database sells the list for a few tens of dollars.
Difficulty there is that many vendors are victims of data breaches, so they perhaps don't deserve to be demonized quite as much as if they'd outright sold the data. Could be difficult to prove which side of Hanlon's Razor they fall on.
If a company has a data breach, they most likely still have a security problem. While they may actually be victims if any 3d party software is exploited, it still comes down to system misconfiguration inany cases. And that would still be their fault.
That should depend on whether they informed the affected customers that their data was leaked in a breach or (if they weren't yet aware of the breach) how they react to the news that they have been breached.
