Because they told me what it was. "I know your password is **blah**blah**". It wasn't one from an email provider, but one of the weaker ones I use for occasional one-off type create-an-account moments.
That suggests that:
- either your PC is compromised i.e they've installed a keylogger (most alarming)
- the site you used this password on stores passwords in plaintext/has really poor security standards (passwords should never be stored, not even encrypted)
- the site you used this password was compromised so much that they were able to capture your password when you logged in
- the password you were using was very common/trivially easy to reverse
Do you know which site it was the password for? Is it one of the main ones?
Best practice is a different, complex, random password for every site you use and a password manager to store them.
Or alternatively, if it's a one-off use, don't store it and instead use the password reset facility whenever you need to log in again.
Make sure the machine you're using is free of malware and then change all of your passwords. And then ignore the scamsters.