Your credit card numbers may have been stolen, they could have been stolen in a number of ways. My own hosting company a couple of weeks ago, had 129 attempts at using stolen credit cards in a couple of hours for starters. I cross check ip address's and verify all new accounts before credit cards are authorized.
When I see traceroutes with an initiating ip address from Hanio Vietnam, and the name and address is from Michigan, something is usually up. They were also operating within the US. They called themselves "Dark Force Group".
I talked to a number of the owners of the credit cards, they knew nothing of my company nor nothing about web hosting or what it was. They had no idea that their credit cards had been stolen. It was not just one of their cards but a number of their credit cards in some cases.
Keep in mind that a good majority of the credit cards stolen are from retailers. Waitress's/Waiters are also famous for using pocket scanners at restaurants. You can even purchase a phone with a built in scanner now.
Many retailers are starting to use wireless devices for lower cost and ease of use/installation. Unfortunately it allows someone wardriving to sit a block away and be able to infiltrate the retailers credit card processing network. This has happened numerous times with some of the biggest retailers, and in some cases resulted in millions of cards being stolen with one infiltration. In some cases they emplace code that keeps sending them new batches of credit card numbers over a period of time.
Crooks in some cases hide a passive receiver/laptop running kismet nearby and collect all the network data packets over a period of time. Then analyze it and decrypt that data to find passwords and weakness's and then infiltrate.
This works also works with home wireless networks. Your neighbors can use kismet a passive packet recorder to collect everything you do on your wireless system. If you are running a wireless internet device and do not have wep turned on, it is really easy to read the packets, as they do not have to be decrypted. Always us the highest wep setting and use long password/pass-phases that contain numbers and letters. You cannot stop someone that really knows what they are doing. But by practicing basic security procedures you can stop 99% who are simple script-kiddies.
A number of years ago at the black hat conference. The FBI team demonstrated breaking 128 bit encryption with a laptop in less than 3 mins. 128 bit encryption is the minimum requirement for US banks to use, now going to 256. But then with computers getting better, it will now only take a few minutes to break 256 bit encryption.
No matter what you do, using a computer for online purchases, going to dinner, or going to the mall. Your credit card is subject to being stolen. The use of pin numbers and or bio metrics will eventually be integrated into doing every kind of card transaction. Then a whole new round will begin!