I’m in the U.S. I was notified by Amazon that someone signed in to my account from Nigeria (not that someone “attempted” to sign in). I’ve had the account for many years and this has never happened before. They didn’t order anything and I changed my password, but 48 hours after notification.
I made this new password only 10 days ago, a random mix of 25 characters. I have not used this password for any other website. I do not use a password manager. I store passwords on a flash drive that is plugged in only when I need them. I access my Amazon account only from one device, a Windows PC. I update Kaspersky and Windows 10 automatically. I ran a full Kaspersky scan and no threats were found. I use 2FA on Amazon with my phone number.
How could someone have figured out what my password was unless there is something on this PC that recorded it that Kaspersky missed?
Also, if it is OK to ask a related question, as Amazon stores my credit card number which someone in Nigeria could have seen, I guess I should cancel the card and ask for a new number, or is this overreacting?
Should I be worried about someone porting the contact phone number and/or accessing my contact email, since they would have needed one of these for the 2FA?