True and that mostly doesn't happen. The bigger issue is a data security breach where the bad guys get hold of tons of encrypted information in one fell swoop. Now, you can take advantage of time and programs like Hashcat to decrypt at relative leisure. And since most people use the same username and password at multiple sites, all that's necessary is a good program to ramble around the internet randomly entering usernames and passwords at banking and retail sites until--boom!

Sophisticated hackers are like good burglars and robbers. If they get your credit card information, they may not directly use your credit card but instead use the information they obtain to open another account that you're not aware you have--until you get the first month's bill for $10,000.