Robert Graham of Errata Security makes a great recommendation in a recent post:
The first is to create "canary" accounts. Create accounts that have
e-mail addresses, like "something-really-long-xyz-123@gmail.com". This
account is not going to get any spam e-mail. When it does get its first
spam, you'll know that it came from your database. When I create
recommendations for clients, this is always one of the first things I
suggest. (Likewise, if you are an e-commerce site, you should get dummy
credit cards that only exist in your database). This won't stop you
from getting hacked, but it will at least tell you when a hack has
happened. (I suspect that this isn't the first time phpbb has been
hacked – just the first time it's been made public).
e-mail addresses, like "something-really-long-xyz-123@gmail.com". This
account is not going to get any spam e-mail. When it does get its first
spam, you'll know that it came from your database. When I create
recommendations for clients, this is always one of the first things I
suggest. (Likewise, if you are an e-commerce site, you should get dummy
credit cards that only exist in your database). This won't stop you
from getting hacked, but it will at least tell you when a hack has
happened. (I suspect that this isn't the first time phpbb has been
hacked – just the first time it's been made public).
Canary accounts are a great idea (and its a great name for the concept). I believe there was a company out there at one point that would do this for individuals and their email addresses, and I've talked to a few folks who have used the concept in databases. It requires good planning to ensure that all business processes are factored into managing the accounts.
Sounds like putting “Rand McNally Avenue” as the street name in some podunk town in your atlas.