How do you even find a data breach and/or leak like do they leave there sites unsecured or do you target them and stuff

Mainly sites are unsecure, some people can pull database even with old exploits like SQL injection but nowadays most of sites doesn't have such vurneability and the one of the biggest mistakes probably is not having encrypted data, as they literally have plain text file and even having encryption key in plain sight.

Even a simple google search, can open up lots of vulnerable databases stored somewhere. It depends on what you are looking for.

It is good question, i agree with that friend who said truth. You can find them within use google search browser anyway.