If your passwords are simple, then they are not yours, which means they leaked to the network long before you started using them.
If your passwords are complex and unique, then it is possible that your passwords have leaked from you. For example, a Trojan got onto your computer and stole your passwords. Or the site you were using was hacked and your password was stolen.
Once passwords are online, they can be sold on the dark web. Naturally, not specifically your personal password, but a large database of passwords, into which your password somehow got into.
Google can also buy this password database. Next, Google compares the password database with your passwords, which are conditionally stored on the Google server (if you use the ability to save passwords in chrome).
Well, if there are matches, you receive a letter (and not only).
Then think for yourself, decide for yourself what to do with it.
Personally, I received such a letter, I ignored it, because many of my passwords are simple, and they definitely should be in the databases, but there is hardly a login-password combination.
PS Dad has always corrected mom since childhood, pointing out that an unfamiliar link means an unfamiliar domain , and not generally any link in a letter / chat.

Well... depending on what these passwords protect. If this is a box where spam falls - and to hell with it.

Yes, I had junk passwords like standard passwords for various network devices
admin-admin
And the letter itself is quite official, not phishing.
Go over the list, if there is something serious, then change it.