I can't say I grasp the series of events and the timeline, but warning someone about a potential issue with their password, then demonstrating that it was an issue after being ignored without compromising anything seems like the right way to do it?  How else could this point have been made?

I think the problem was that the PMs were worded strangely as if it was sent from a scammer.  Perhaps something a little more simple and to the point would have been more effective.

I do feel left out that I didn't receive one of these messages.  I guess because I have no security questions (that I'm aware of).