How did spammer get usernames and emails

I also received the Password Reset Link-

Mine came from Mybiznetsite.com (Hosted by Wild West Domains LLC who is owned by GoDaddy)
Sounds like the issue has been identified correctly by @todditro and don’t reply to that message and you should be good.

-Disable the ability for people to look up these usernames
-Add a plugin (if necessary) or modify .htaccess
-ALSO, look into “SPF” (Sender Policy Framework) – I am looking into this now and I think it may be a way to prevent others from sending message “On Your Behalf” or “Via” as you’ll see sent via example.com

Thank you everyone!

I am also getting these e-mails from [email protected] saying that somebody has requested a password reset

@todditron, thanks for sharing that wp_mail_from filter snippet, works great as a quick fix!

small modification to the wp_mail_from filter to apply it only to the lost/reset password emails (the original filter broke return addresses on my contact form emails):

add_filter( 'wp_mail_from', 'reset_password_from_email' );
function reset_password_from_email( $from_email ) {
    if ( isset( $_REQUEST['action'] ) && in_array( $_REQUEST['action'], array( 'lostpassword', 'retrievepassword' ) ) ) {
        // Get the site domain and get rid of www.
        $sitename = strtolower( parse_url( get_home_url( get_current_blog_id() ), PHP_URL_HOST ) );
        if ( substr( $sitename, 0, 4 ) == 'www.' ) {
            $sitename = substr( $sitename, 4 );
        }
        $from_email = 'wordpress@' . $sitename;
    }
    return $from_email;
}