The "security" thing is just script-kid "hackers" running leaked email/password pairs through their login. They're a big target (Fortnite/v-bucks), and people tend to use the same email to register on multiple services, and too many also use the same password. The same email/password combos getting leaked/hacked this very site's been reporting about happening every other day for the last five years.
Of course, people using the same email/PW combo as they did on PSN or whatever hacked service is clearly Epic's fault. Epic's sin here is that they actually notify you that someone tried to log in with your account; most sites/services won't at all, or unless they go over a certain number of attempts.