This is a good reason to not re-use passwords...
This sort of occurrence is way to common, unfortunately. Hopefully, in this case, Demon was simply sending out passwords they had generated, rather than passwords previously used by customers, because, as well all know, password re-use is horribly high.
You can see how this sort of thing would happen by a mail merge sort of activity, but it is also unfortunate that Demon isn't using technology that would have detected just this sort of accidental leakage and prevented it from occurring. Further to a previous poster's point, there are also great encryption solutions available that would allow them to send this information out without resorting to plain text emails.
Michael Argast, Security Analyst, Sophos