I use the free Bitwarden - to generate, store and automatically paste in passwords - it works across Windows, Android, iOs. I have changed mine just for the sheer hell of it. As @velvetkevorkian suggested - it's worth checking https://haveibeenpwned.com/ - it's very possible the same username and password have been harvested from another site that he was using.
The question that has to be asked is - has BC been hacked (unlikely as only one incident [so far]) - this is why maintaining sites (as I've found) can be a PITA - you have to keep on top of security updates and sometimes the updates don't always work out. Worse than that - depending on how extensive the site security patch is - any hand crafted changes to the code have to be redone - it's not always simple and problem free.