There was just a HUGE(!!!) dump of email addresses and passwords in the last day or so. Many of us are getting emails with our address and a password that was used with it (but hopefully was changed before this!). However, just where they got the email/password (i.e., a merchant, your ISP, or ???) is not specified. If you use unique passwords for each site (important) you may see where it is from. They make threats in the email as if they knew WHERE you used that password but they don't necessarily know.