> Or the simpler answer, their db/email list has been compromised.
I find the first option far simpler.