I’m very careful with privacy and security so I was surprised I got an obvious phishing email from “American Express”. I reported the email and moved on only to get another one today. I checked haveibeenpwned and it came back clear. I have never gotten a phishing email before the other day. As for the senders, they all came from generic IT sounding email addresses. They obviously weren’t American Express.
One possibility is that you have a fairly common username part and a similarly common domain like, say, gmail.
There’s nothing stopping a spammer from taking existing addresses and word lists, then taking them apart and putting them together in different ways to make up completely new addresses to send spam to. It doesn’t matter if 99% of the addresses they make up don’t exist because they’re only interested in the 1% of the 1% of successes who will fall for their scam. They don’t even get the rejections because the From address is usually bogus too.
e.g. I bet whoever owns john dot smith at gmail gets a huge amount of spam whether he’s in any databases or not.