the data leaks we saw from Ledger and other companies never included any addresses or xpubs.
That's because Ledger didn't have them. Once they launch their Ledger Recover service, they will. They and the companies they're partnering with will have the keys AND the KYC needed to recover the keys.
The amount of coins never leaked anywhere which means those who still have those databases can't know who owns what. But since their names are on a list of hardware wallet users, it's reasonable to assume they have coins whose keys they believe are worth protecting with such devices.
Again, Ledger Recover didn't exist back then. Ledger Recover is a new service which extracts keys from users' hardware wallets and includes the user's personal information (KYC).
I'm guessing you're not familiar with Ledger Recover, so here are some links you might want to check out:
Youtube interview with Ledger CEO Pascal Gauthier:https://www.youtube.com/watch?v=M3VjQUcyZSYI still can't believe Ledger's CEO said that about one of his own company's products.
Ledger's key extraction includes other companies. What happens if those companies want to give up your keys? Here's what Ledger's CEO says:
Yikes.
"Great, so now the Department Of Justice calls you and says "We are charging so and so with X, Y and Z. Get two of your vendors to send us the Bitcoin keys."
Harry Sudock, discussing Ledger Recover with Ledger CEO Pascal Gauthier
https://youtu.be/M3VjQUcyZSY?t=2608Here's the part about a hacker being able to connect the coins to a user's personal information (their KYC data):
Rodolfo Novak: "Isn't it an issue now that you have the KYC plus the Bitcoin, together? Right, because just losing the KYC... it's a problem, it sucks, right? But you don't lose the Bitcoin. Now, you have the KYC
plus the coins."
https://youtu.be/M3VjQUcyZSY?t=2306