Then they must have tried your password and saved it to one of a specific number of places. Infostealers are by definition a class of malware, which means it's got to be installed somewhere with access to the directory storing the credential.
Or it was from an old computer, or mislabeled.
https://www.youtube.com/watch?v=L3f9do5mtT8
Here's a good talk on infostealers for anyone curious.
I'd prefer Luigi.