Ok folks, my own independent research uncovered the following:
When hackers hack a website (ex: twitter, electronics forum, Sony, Experian, etc.) they either sell the account info (incl. password) on the black market or they post it publicly (on a paste site like pastebin.com usually) to gloat. Facebook security crawls these paste websites looking for your email/username and if it finds one of your accounts, it compares your password for that account with your facebook password and if the passwords match, you get the message that I got.
There are a few directories to find the latest password dumps, including
http://twitter.com/PasswordsLeaks.
I sought out all the places that I could find where hackers typically post up their password dumps, and I could not find any password dumps that included my info from any website, however I did find
http://www.leakedsource.com/. LeakedSource is a database of password and personal data dumps that are collected from various dump sites across the web. You can search for yourself (or anyone else) by name, email, IP address, phone number, etc. and if there are any hacked (and publicly exposed) accounts in LeakedSource's database, you will be able to see them there. If you pay $4, you can see the entire contents of the hacked data dump, including plain text passwords. I had 3 hacked accounts, two of which are from long defunct forum logins. My passwords for these websites have been available to the public since February of this year.

I searched several friends and family on that website and uncovered passwords to handful of loved ones' old myspace accounts, forum accounts, and my brother in law's porn account. I found an unsettling amount of information about my dad and my uncle (deceased) which had been hacked from Experian.
Note that my two hacked accounts were VBulletin accounts. My loved ones' forum accounts were also VBulletin accounts. I went in search of more info about these hacked VBulletin accounts and found this:
http://www.zdnet.com/article/hacker...reds-of-verticalscope-car-tech-sports-forums/
A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities.
The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope [VBulletin], a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com.
You all might want to check and see if your forum logins are compromised.
Unfortunately my account (whatever account it is/was) that shared a password with my facebook account was not in the LeakedSource database and I could not find it anywhere else either. I assume it must be pasted to the
deep web somewhere on a Tor/Onion site but I'm not going down that rabbit hole to find out.
It would be really useful if the Facebook alert had given some clue as to where their crawler uncovered my password. The password that I used for Facebook is one that I had been using on all my sensitive accounts (lots of personal info or financial info) so I'm still not comfortable not knowing what account it was or where it's posted. It had to have been a pretty high-level account, like from my bank or one of my guarded email accounts. I've changed all the passwords for all the websites I can think of. I'm 99% sure I've taken care of it but there's an uneasiness in the back of my head like I'm forgetting something. Adding to the uneasiness is that, whatever account I used this password on was a reasonably trustable (big name, high security) website and there hasn't been any reported breaches in the last week from any websites that I frequent. So I wonder if it was obtained by some other means, some hole in my defenses that I haven't plugged, and if it won't just happen again.
more info:
http://www.makeuseof.com/tag/passwords-leaks-happening-time-heres-protect/
http://www.makeuseof.com/tag/heres-much-identity-worth-dark-web/