I know this because I use SimpleLogin to provide each service with its own specialized email address. You can see in the picture the address starts with bixi@sl.***
It's also possible but unlikely that they sold user data.
Yup it is most likely a breach, I reported it to them on my side, it'd be great since you also have a single-use email address if you could also report it to them.
You can give them a call after you email them the info to get them to get on it, that's what I did :)