They probably got the email and the exchange password from a user account dump but the passwords used on the actual emails were never used on forums or websites.
Anyway, I've changed the passwords on all my important accounts and made a new wallet since the old one is probably compromised.