There are more ways to obtain email addresses than just a security breach on the host's web site. You could have logged in from a public workstation infected with a keylogger (which may have actually been installed by the sponsor of the public workstation), or (if the address is not terribly complicated) been the victim of a "lucky guess," machine-generated or otherwise.

I nevertheless would be very interested to hear if there was a security breach at IB.