They leak. They all leak.
I've been getting huge amounts of spam from people claiming to know my password. They give an old password that I used at one time on LinkedIn (long since changed, but I keep a record of past passwords). Clearly, LinkedIn had a leak at one time. It's annoying (but my spam filter removes the spam from my inbox).
Twitter leaked 32 million account details.
Facebook leaked hundreds of million account details.
Now Instagram has leaked 49 million names and phone numbers.
I'm not surprised. When you have systems as large and complex as that, there's likely to be security lapses.
So, what do you do when one of these social media sites asks you for your personal information? Me - I make up something for them. A fake name, a fake date of birth, a fake phone number. The email address is one that I create just for that purpose. And I record all of this, in case they ask me to prove that I am who I say I am.
It's surprising what they accept as proof. Facebook commonly asks people to prove identity by giving a phone number, which they then text a code to, and you type the code into Facebook, thus proving ... proving that you own a phone. Why they think that this proves that you are who you say you are, is beyond my feeble brain to fathom.
So that when all this gets leaked, and becomes available on the various sites that offer such information, I haven't lost anything that would allow impersonation (modern parlance is "identity theft").
Eventually, Facebook might ask me to prove my identity - a passport, or a driving licence, perhaps? NO WAY. It's bad enough if you leak my name, phone and birthday. I'm not going to give you something which, if leaked, will cause me SERIOUS inconvenience. And yes, I do see all the promises that you make that you'll take very great care over this information.
But I don't believe that you are able to.