That would probably help. "Your password, xxxx, has been compromised." Even if they think it's spam, they should immediately realize they do need to change their password.
Password is already compromised, so this is a worthless step. And only seeing part of the password may cause them to think it's largely still secure or something. (Some people don't understand wildcards.)
Since their password is already compromised publicly on the Internet, it's silly to worry about shoulder-surfing. In fact, if someone shoulder-surfs, and sees the password, the user is even more encouraged to CHANGE it.