I had one of those "your email account has been logged into from elsewhere" messages, and assumed it was a spam/phishing thing.
I went directly to that account, logged in and yes, indeed it had been recently logged into from an IP pertaining to Russia (but that could be spoofed anyway). It was an old email address and used only for a spam trap (website shop needs an email address to provide shipping info. so use that one so I can at least find out the costs. I actually transact with another email address, of course).
Needless to say, I changed the password on that account and haven't seen anything dodgy since.
Never used a password manager. The thought of keeping all of the passwords under one password has two issues for me (a) crack that one password and bingo (b) I'd forget that one password. My password manager is a spiral bound booklet with a list of the site, my email address used/username and password. Secure, no, but it's air gapped from the internet. Good luck to anyone 'hacking' physical paper and ink.