VERY damaging.
Email is the tried-and-true mechanism for password resets for many, many sites, from banks to government agencies.
Forget about trying to figure out the 'who' - you're in damage control now. As
@kanewolf says, enable MFA on everything you can and then systematically go to EVERY service that you have a username and password for and change your password.
Be sure to make notes as you go. One method hackers and bad actors use to retain control is to log into things and keep the session active, programmatically, so that even if you log in and change the password, they can change it right back to something else since they are already logged in. Many sites now offer the ability to 'log out of all connections' when you change your password - be sure to do this and keep an eye out for password change notifications to make sure that your password doesn't get changed again AFTER you change it.
You'll also want to go through ALL your emails for the breeched account and see what other info the bad actors now have. Normal M.O. is to immediately download the entire mailbox just in case access is lost. Consider the real possibility that all info in your entire mailbox has been downloaded and is available for a bad actor to go through, email by email.