Another question I have is what email address/username was used in this situation, is it one that is shared among other websites of the same nature or was it a unique email address that was never actually used for email purposes?
If your email address even shows up on a Google search that means it is vulnerable. You should have a unique, unknown, unused (besides verification and sign up) email address/username that is not listed on any search engine to maximize security. If you don't have a unique username then you should have a super common one that shows up everywhere.
btc-e doesn't allow email-address as a login.
Edit: and they lock your account after 3 failed login attempt.
Thanks for the info. The same applies though, if you share the same username between services then it is relatively easy for someone to then find your email address and then expand from that to find other information about you.
Anyone that engages with you in a conversation and provides a link could gather your IP address from your visit to said link (depending on what website it is obviously) or install malware directly onto your PC.
It is a good practice to use a VPS when using these sites to mask your true IP address at all times.