I don’t know where to look.
How they are sourced - usually they are put up for sale. Eventually someone leaks them and their value goes to zero. So they ask for a high price and that alone makes noise on forums.
Once they are leaked they are on forums, but torrent, and places like that.
The rest is more info on what an information security person needs from the lists.
I can tell you a couple resources and suggest a couple places to search and learn more.
Resources
NIST SP 800-63b tells us to stop changing passwords every 90 days and to forgo the complexity requirements- if you also make sure the password is not in a list of known compromised passwords (and a couple other requirements out of scope).
So, you need to look at data breaches to make sure the pw is not compromised.
https://haveibeenpwned.com/ - you can check if a pw has been compromised here. Troy keeps a list and constantly updated it. You can also ask where he gets those lists.
https://support.google.com/accounts/answer/9457609?hl=en Google keeps a list you can check against.
Here are resources where you can learn more
Kerbs on security - in his journalism work he spends time on the dark web and you may gather some clues reading his articles.
Bit torrent trackers and search engines.
Dark web (tor) search engines.
In addition to this, there are service that scan the dark web looking for data you ask them to look for and alert you.