They have their email and their ID, added with the knowledge they are compromised. That's enough to build a spoof password reset email and get them to type in an old/new email.
Oh no! someone could send me an email confirming that I want to reset my password! Just like every other site out there that has a forgot password link.
They know their email and ID - so it's targeted. Without this information it is generic and easily spotted. Quoting your repository is a lot more personal and believable.
Additionally you can use the previous warning emails to really target somebody as one of the few that need "further recovery/security" steps. This is a security issue.