I deal with this sort of thing pretty regularly for the company I work for. We get threat intelligence from several vendors when they see our users show up in “dumps”. Basically, threat actors will package up stolen credentials in a large zip file and make that available (usually via bittorrent) for anyone to download. Security vendors (e.g. Mandiant, which Google bought) download those dumps and search for accounts associated with their customers and send out these warnings when they find one. On the customer side, if the breach was recent we’ll force a password reset and warn the user about the breached password, with a recommendation to change their password on the affected site and also change any passwords which might be similar elsewhere.

Why do we force the password reset, even when it wasn’t the account for our business which was breached?
There’s a couple reasons for this. First off, people still reuse passwords all the fucking time. Maybe this victim didn’t, but we have no good way validate that. Second, even without direct reuse, folks like to have one main password that they apply slight variations to. They might use “Hunter 42!” at one site and then “Hunter 69*” at another. This isn’t smart, attackers know you do this and they have scripts to check for this. Lastly, if an organization is following the latest NIST guidance, you’re not changing your password on a regular cadence anymore. With that is the expectation that passwords will be rotated when there is a reason to suspect the credentials are compromised. Ya it’s annoying, but that’s part of the trade-off for not having to rotate passwords every six months, we pull the trigger faster on forced rotations now.

If you get one of these, consider it a good time to think about how you come up with and store passwords. If you are re-using passwords, please turn off your computer/device and don’t come back to the internet until you have thought about what you have done. If you aren’t already using one, please consider a password vault (BitWarden or KeePassXC make great, free choices). These will both help you create strong passwords and also alleviate the need to memorize them. Just create a strong master passphrase for the vault, let it generate the rest of your passwords as unique, long (12+ character) random junk, and stop trying to memorize them (with the exception of your primary email account, that gets a memorized passphrase).