...and they don't even know it, yet.
Normally, when there's a big data breach we read about it.
But I believe that either Amazon, Microsoft, or PayPal has been compromised and doesn't realize it, yet.
There's a username/password combo that I only use on those sites, and I last changed the passwords on those accounts a few months ago.
I'm also very careful about what websites I visit and never fall for phishing or other attempts to get my information. I trust no one.
I got an email from PayPal, today, about a new sign in. I closed my browser, opened it again, went to PayPal and didn't see any evidence that someone had been there-- but I changed my password and added 2 factor authentication, just in case.
I did the same for Amazon.
In my Hotmail account I checked the activity log and saw a device in my list that didn't belong to me. It's been trying to sync my email account for 3 weeks (unsuccessfully). It was definitely logged in, though.
I deleted the device and changed my password.
Since the compromised password was fairly new and I know how obsessive I am about protecting it, I have to believe that one of those 3 sites has been breached.
As a precaution, I would suggest that y'all change your passwords, there, as well-- just to be safe.