CFB.....I've found that most of the time somebody had their online account compromised is because of something else they did. Someplace down the line, they did something they shouldn't have, and didn't realize it. Most of it is because of phishing scams.
I had my Discover Card compromised a couple of years ago. Somebody in Philly was having a hey-day ordering online. Discover took care of it for me. I have no idea what I did, but I'm sure I had to have screwed up someplace. However, I didn't cancel my Discover Card because of it.
My paypal and ebay leaks were because someone hacked into their data and it wasn't encrypted. I see stories about similar leaks pretty regularly.
My credit card leaks were tracked back to two online sellers who exposed credit card info through an exploit. Believe it or not, Walmart and Rakuten (Buy.com). I've had no problems since I started using one-time CC numbers.
One of my former employers (originally Digital Equipment Corp, bought by Compaq, bought by HP) also exposed all of their employees pension/retirement account information and they're still paying for free credit monitoring, which so far has never worked. You'd think that a premier technology company would do better than that. But that turned out to be a bit of a good thing. I had no idea that I'd worked long enough back in the 70's and 80's to qualify for a pension, until they sent me a letter saying my pension data had been exposed, and I got to ask the question "What pension?". Turns out I'll get ~$40 a month starting in a few years. Thanks hackers and incompetent IT people!!!

A major problem for many people is they use the same passwords for a lot of sites, and all you need is for one of them to not encrypt the data and expose it. If someone gets it, they can try the usual sites for the same email/username and password combo. The big kill is getting into your email and finding messages from all the sites you use. I use different ones for everything and change them every six months or so.
The only reason why I stopped using paypal is because they refused to delete bank and credit information I didn't want them to have, and didn't intend to use again with them, and they refused, even though I told them I'd change it at great effort, rending it worthless to them. A poor policy decision IMO. Once they get a bank account # and cc#, they really don't want to let it go.