I have no idea how anyone could know there was a data breach on beerpal unless they were part of it. I'm not aware of any unusual activity. I also received notification from Chrome about a week ago that there was a data breach, but it wasn't from beerpal. It showed me all of the websites that had the specific password that was breached and it was NOT the password I use on beerpal. It could just be that google started sending us notifications about other major breaches. The crazy thing is that Google was right. A day or two later my Spotify account was logged into from Russia. I nkow this because spotify sent me an email saying it was unusual activity. The next day they emailed again saying my email was changed, and I was no longer able to log in! I was able to re-acquire my Spotify account pretty quickly with their online support, but it did make me start changing passwords at all the major websites where I used it. Is it possible that your password for beerpal is the same you use at other websites?
I'm also kicking myself for using that old password that was too simple. 8 characters, but it was a dictionary word ending with two digits. Data breaches that expose your "passwords" do not actually contain your real password. They are hashed into usually a 256 bit encrypted string. What happens is when you log in, the website encrypts the password you just typed in and sees if it matches the 256 bit string in the website database. It's not possible to reverse the 256 bit hash into the regular password, so the only way a hacker can determine your real password is by running scripts that encrypt millions of guesses and see if any of those hashes match your hash. If you use a long, or complicated password, like 10 characters, it would be virtually impossible for a computer to guess it.