You entered your credentials into a HelloSign phishing test. Rest assured, the email you received was not real (and there is no issue). Your password was not stored or sent over the network when you submitted the phishing test, so you do not need to change it. We perform these tests to understand our susceptibility to phishing attacks.
Please do not spread the word about this test. While sending it to email@example.com is always advised, please do not tell your coworkers that there is a phishing test ongoing.
How could I have noticed? This test had less errors than our previous phishing emails, but used completely public information. You should be cautious when you receive a notification like this out of the blue. Also, HelloSign has never used hellosign.io (we bought it for this test). If you're ever entering credentials into a website, you should ensure you are on the right domain. Additionally, your company-provided password manager LastPass would not have automatically filled your credentials, an important indicator that you might not be on the right domain.
Why was this test harder to spot? The security team has seen an increase in targeted phishing attacks against our company. As such, we need to be prepared for attackers to use more sophisticated attacks than Nigerian princes. We built this test using mostly public information, to emulate what an attacker could get. Additionally, because we have been acquired, we are expecting to become a larger target very quickly.