This is a pretty common spam extortion attempt that most likely can be ignored. So many databases have been exposed or hacked that included user information that they use that as bait. Doesn't mean that what they say is true.
I received those as well noting passwords I haven't used in decades. So someone got hold of old database user information that I happened to be in.
I would still run a malware scan on your site and also check your domain to see if it is blacklisted due to being hacked. Then anything using the password that they reference should be changed immediately just to be safe.
"Be a voice. Not an echo." ~ Anon