It wasn’t just phishing, that’s just part of their blame mitigation, like ‘Well, it wasn’t OUR servers.’ They gave the info to some third party who got hacked, or maybe it was RoadRunner itself.
I got a notification of this on an email account I haven’t used in ten years, and I never click email links.