What customer information did you store with that provider? Just names and emails, or was there anything else that attackers may have been able to access?
Mine was addressed with my full name in the "To:" field, so they do have our full names (but just didn't mail-merge those into the body of the message).
My email was also my domain name contact email, so I originally thought they'd obtained it by DNS lookup...