You don't necessarily know they sat on it. You only just got a notification of the failed login now.
That doesn't mean they didn't try stuffing it elsewhere previously, or have login attempts you weren't notified of.
Nor do you know if the entity responsible for the failed login is the one who originally captured the credentials.
If you'll forgive the wild speculation, your credentials could have been sold recently and the new owners are less picky about alerting victims to the breach.
It could be that a bunch of credentials were captured for a specific purpose. Perhaps it was a targetted attack aiming for a specific victim, you and others here were collateral damage, and now the attacker is selling the assets.
I also generally am more suspicious of the idea that they sat on the credentials for years. Although that is not impossible.
One disproving fact (of sitting on the password for years) is that a few people here in this thread confirm having a login attempt from the exact same ip range, but with an account that was created this year -- in one case, in November 2021: