Robert Graham of Errata Security makes a great recommendation in a recent post:
e-mail addresses, like "firstname.lastname@example.org". This
account is not going to get any spam e-mail. When it does get its first
spam, you'll know that it came from your database. When I create
recommendations for clients, this is always one of the first things I
suggest. (Likewise, if you are an e-commerce site, you should get dummy
credit cards that only exist in your database). This won't stop you
from getting hacked, but it will at least tell you when a hack has
happened. (I suspect that this isn't the first time phpbb has been
hacked – just the first time it's been made public).
Canary accounts are a great idea (and its a great name for the concept). I believe there was a company out there at one point that would do this for individuals and their email addresses, and I've talked to a few folks who have used the concept in databases. It requires good planning to ensure that all business processes are factored into managing the accounts.