Your information could be posted online, and they could just be contacting you to try to get some money. My info was leaked with an old (3+ year old) password. I don't like the wallet idea, so I have a bunch of encrypted passwords that I typically change 3-4x per year.
So long as they didn't actually gain access and try to CHANGE your 2 step authentication you're fine. My guess is that your email/password combo was listed on some nefarious sites. I think I have 5 old passwords listed when I used search. Oh well. None are current.
I think someone is searching for different combinations of my first and last name and then trying what the find with that old password. The gmail account had my name, but it also had some other characters and obviously the domain was different than the email address that was stolen with the password from the uspsa web site a couple of years ago.