I've had multiple incidents recently where clients have gotten emails from hackers claiming to have access to their online accounts, and they prove it by putting the person's password in their email. They then demand $1000 in Bitcoin or they threaten to wreak havoc.
What's happening is that hackers are exploiting some of the many data breaches that companies are having. In many cases, those data breaches have exposed not only email addresses, but also passwords (even encrypted password data can be vulnerable). Hackers know that many people use the same password on multiple sites, so they're hoping that the one they got is one you're reusing.
You can find out if you might be vulnerable by visiting haveibeenpwned.com and entering your email address. If it says that you've been "pwned," then you need to change the password for that email address ASAP. If you're using that same password on other websites than you need to change ALL of them. Even variants aren't a good idea (such as HappyDog123 and happydog456).
This is a perfect example of why we tell people to never use the same password on multiple sites. Use a password manager, or even write them in a notebook if you must (keep it safe!), but make them all unique, and make them at least 12 characters in length.