Most likely, a bot is using the payzone password reset feature on a long list of known email usernames, to figure out what usernames are in use on payzone. Once the bot has got a list of valid usernames, it can start to work on brute-forcing those account's passwords.
Did the email quote your password to you? This should never happen. If a website is doing security right, it shouldn't actually store your password in any retrievable form (Here's the why and how, in case anybody is curious: https://crackstation.net/hashing-security.htm).
I wouldn't trust a company with my money if they are 15 years behind internet security best practice.