I use Privacy cards for the majority of online commerce. If you aren't familiar with them, they generate one-off card numbers that obfuscate your financial details and become locked to the merchant of first use. They also can create single-use cards that deactivate after the first charge.
The card I have tied to my Epic account generated two fraudulent charges on Dec 10 at Spanish-named locations. The charges were blocked, as they didn't originate from Epic. On top of blocking the charges, Privacy deactivated the card number as they suspected fraud.
I've reached out to Epic for details, but they're just sending scripted meaningless fluff, and its been almost forty days.
Am I right to assume this means Epic was themselves the victim of some breach? I don't see any press releases or coverage of anything.
I cant say for certain, but I do know that it's likely card number algorithms can be compromised in one way or another. I had a credit and debit compromised one day after another, the credit card having never been used at all. I had them both cancelled and reissued immediately, and after activating the new credit card it was done again the very next day. These were from the same bank, a small credit union based in Eastern Washington.
Again, it was cancelled, they told me it was an algorithmic attack, and the next card that arrived was activated and had no further issues despite use in person and online until it expired.
Maybe they were saving face after a breach, but that kind of attack felt far more likely given my lack of usage.
Card numbers follow a stamdard format and have digits that represent the payment provider (eg Visa, Mastercard, AMEX) and the issuing credit provider, along with a checksum, but also guessing the corresponding expiry date and CVV has a vanishingly small chance.