It’s common I believe. I have had a few. I’m no expert, but the passwords compromised- if they’re for sites like iPlayer, reading the newspaper online and no money could be involved I don’t care. If it was for something like VT or social media, I’d do what you’ve wisely done and change it. If it was for something potentially involving money (bank, Amazon etc) then I’d make sure I had 2FA enabled and a complex unique password and so on.