If you get such an email you should delete it, but don't ignore its message that your password might be compromised. These messages come from hackers who have gleaned your password from the Dark Web where user data, stolen in security breaches, has been posted for the bad guys to exploit in any devious fashion they can devise. Ugh. If only they'd use their powers for good instead of evil. I've received several of these messages over the past year or so and fortunately they've all contained the same defunct password I've not used in years. The image above has been edited so you can't see that old password, but, rest assured, it was an actual password I've used.
If you receive such a message, DO NOT open the PDF.
If the password in the email is one you currently use, simply delete the message and immediately scan your computer for malware using the free version of MalwareBytes. Delete anything it finds. If you're not sure, call us: (818) 293-5592.
Next, and you might want to do this from a different computer while the first one is being scanned, change that password wherever you're using it. Brainstorm: banking, credit card, Amazon, insurance, AAA, travel...where have you used that password??? Make a list and check them off as you change each and every one.
Next, if you're a Chrome user, be sure to install Google's Password Checkup Extension which will reference the web site you're logging into against a list of sites that are known to have experienced a data breach and, if necessary, recommend your password be changed.
Unfortunately, I have not been able to find an equivalent solutions from Microsoft for Edge or Internet Explorer. Firefox, however, does at least offer a breach monitoring service which you can find here. Personally, I find the Chrome solution, which checks my accounts on the fly, to be much more handy.