OK, honest and possibly stupid question here. If an email address was leaked, but not the password, what exactly should be done? It's not like an email address is classified data, and the one in question is locked down with a high-quality password and MFA.