Don't you just love when PayPal decides to do stuff without warning and sends everyone in a tizzy? OY!
Regardless legit or not, always a very good thing to change passwords randomly, using 16 to 32 characters on any site you receive or send money. My PayPal pass is 23 letters, numbers, characters and the bit strength is over 100. I change it randomly, not like once every 2 months or so but at various times. So you did the right thing changing it anyway.
It's odd they wrote, but well....it's PayPal (who expects us to abide by their rules but don't think they need to do so). ROFL
I think I ticked them off one time, I earned a bit of decent money and decided to go shopping for ads and for fun stuff. I'd made a couple of store purchases and was buying ads at 3 sites. Just finished the 3rd one, and BOOM, they froze me out. Used the call me feature and read them the riot act, after listening to reasons that made no sense. Told them if I wanted to shop all day long on my account, who were they to tell me I couldn't. Put the account back to right immediately or I'd be calling my attorney general. Took them 5 minutes and a very long drawn out apology with all sorts of excuses, none of which made any sense and didn't pertain to their error in judgment.
Unfortunately, they get noobs in who aren't yet up to speed on the proper way to do business, and innocent members get hickied in one way or another. Did they ever say why they mailed you in detail? Was someone at another location trying to access your account and they shut it until you could respond? If so, why would they snail mail you instead of use the contact phone number? Just trying to understand their mindset. LOL