Last year, one of my family's credit cards was used to rack up hundreds of dollars in bogus charges at Apple.com. Another card was compromised four times in a row, as thieves repeatedly charged merchandise and Uber rides.
I'd noticed that the Apple.com charges had been ticking up, but assumed my husband was buying more audiobooks and my daughter was downloading more games. I'd grouse at them occasionally; they would proclaim innocence and the charges would continue. My takeaways: Sites where you make multiple purchases each month need to be monitored carefully for bogus transactions. Compare what your credit card statement says you've charged with your purchase history on the site. You may have to search online for how to find that history — Apple certainly doesn't make it easy or intuitive to find your charges. And if you find fraud, report it, even if it's beyond the 60-day deadline.
At the issuer's suggestion, I ran antivirus and anti-malware software and changed the passwords on my email accounts as well as my financial accounts, in case a thief had broken into those. I already had two-factor authentication, which requires a code and a password to sign in, on my financial and email accounts. I added it to my most-used retail sites as well.