I also changed the e-mail account login to a different address, so they won't try again.
A little while ago I received a legit e-mail from one of the major online retailers. It gave me the passcode code to enter my account, because apparently someone requested a reset of my password. I didn't click on any e-mail links, but instead I went directly to the retail website. Sure enough, that passcode gave me access to my online retail account. I changed my password.
Next, I looked at what might have happened. Apparently, anyone can type in an e-mail address to request the password be reset. If the e-mail address is recognized, it tells you an e-mail has been sent to that account with the new passcode. If an e-mail address is not recognized, then feedback is given to re-enter the e-mail address. (Other retailers use the phrase "if that account is in our records then we will send a temporary password." That way a potential thief wouldn't ever know if the e-mail address is the login or not).
This has happened before on different online websites (major retailers). Is it usually a person typing in the e-mail addressed into the "Request Password Reset". Or is it a "bot"?