My initial reaction, as well, but if the passwords had already been re-set before he got the contact, it may well have been legitimate.
Yes. Chain of events as follows:
Received email alert from bank that a profile change had been requested. Call the number on the card at once if I did not make the request.
Called the number and sure enough everything had been changed, including password. Confirmed by trying to log on unsuccessfully. After confirming my ID, card was cancelled, new card on the way to my real address.
Asked them if they would tell me the address the thief had used in the new fake profile but they said they couldn't divulge that info. :-) Oh well, I tried.