Please don't hide whom it is that I might accidentally do business with. Nothing is going to change just sending them an email, they may even go after you for doing so. However you may stop others from being suckered when their poor security becomes everyone else's problem. It's not their problem, it's going to be everyone else's.
First assumption is that there isn't somewhere that'll get broken. Everywhere probably will get successfully attacked at some point. Use a password manager. At least this way, when somewhere is broken, I'm sure that it's the only place where that password is used.