Much of the information is also just RTFM. I don't think it's a stretch to say that security is a lifestyle: if I read the documentation of an API, more often than not I'll wonder if something can be abused for something. Or when trying to register for health insurance, the password field required special characters, so I set my password generator to include them, after which the form broke, and so I investigated and found that I could inject scripts there. It's just stuff I come across when I'm not even trying.

Word of mouth, chat groups where things are shared, conferences, blog posts... yes, those are resources. But it's also just a whole lot of curiosity and poking at systems.

And experience. Knowing what to look for, even if it's just the HTML source of a web page, is rather important in the first steps of breaking the system. How do you learn what to look for? Well, certainly there are blog posts and even playgrounds with virtual systems and components one can have a go at.