Some days ago I received an email that someone logged into an old account of mine. The hoster obviously introduced 2FA, so i got a verification code.
Back in the days I used to use weak passwords and over the time you forget about the accounts you created when you were 15 and used 2 times. Bots who try user/weak password combos sometimes are successful and try the successful credentials at other web services.
Clean up time
From time to time one has to clean up. In the house and also on the internet.
Long story short: I used this mail notification as an intention to delete my old accounts everywhere. And I recommend this for you as well. For this task I used an online service to check if a username is registered at common services. Some of the service-APIs are faulty but the website was a big help and I deleted 4 or 5 accounts a bot could easily have taken access to.