This type of behaviour is likely to before more and more common with people working from home, especially if they don't use proper level of security on their machines. The reality is that most people reuse passwords for lots of things and if there is a security leak on one (e.g. yahoo or linkedIn) its likely that people will use the same password for lots.
If the password they have provided is not the password for the account they give, they cannot access it so its likely a phishing scan knowing a percentage of people will pay it up. Most emails at this stage will send you an email to your back-up account if it is accessed from a new device. At this stage, it would be a good idea to reset passwords for everything.
Other simple change is to ensure you have 2FA (two factor authentication) set for anything that can support it - for example google services.
Other than that, consider the use of a password manager application
Finally, if it is the password to the email/site and you feel it may be compromised (ie you got notice it was accessed from a new device), that's a different story - but I imagine that is a pretty rare scenario here !