So at this point, it really is safe to assume the bad guys have YOUR password. Probably several of them.
Don’t believe me? Go to haveibeenpwned.com and check your own account. And that only checks a tiny fraction of the databases that have been hacked.