I've had my credit card information stolen maybe 5 times (probably from a hacked website as I never lost my card.)
I almost guarantee it was stolen from physically using it rather than a hacked website. You know when you pay for a meal at a sit down restaurant and they take the card into the back? All they need to do is photograph both sides of the card and they have all the info they'll ever need to go on an amazon shopping spree. If they wanted to get slightly more risky, they could carry in a magstripe reader (the electronics are tiny now, it could fit in a pocket no problem) and use that to make perfect clones of the card.
Hell, when I worked for a small photography company there was an order form that had people write their card info down as one of the payment options. We weren't trained to handle the forms with any particular security in mind. If I'd been inclined to steal card numbers, 60 seconds with my smartphone could have given me more than numbers than I'd know what to do with (plus emails, passwords, and PIN numbers during little league season since the form had the kids name and DOB on it and we all know how good people are at picking passwords).
It could even be stolen via someone putting a skimmer over the magreader and keypad at a gas station. I've seen pictures of the things in action. Most were built such that unless you know what that gas stations keypad and card reader should look like, you'd really have no way of telling if there's a skimmer or not short of prying at both the reader and the keypad to see if they come off.
This is why I always laugh when the less tech savvy individuals I know seem to think they're somehow being safer by never using their credit cards online. If the site is encrypted and properly secured (I'd assume the big ones like amazon, newegg, etc. are), and your computer isn't loaded with viruses, there's less danger using your card online just because the human element is out of the equation.