Five days ago, I placed an online order with a company that I have used many times, over the years. It's an online supplier of vitamins and nutritional supplements. My account with that company has login details (email address and password) that I used to use for pretty much everything, until various companies enforced changes, to improve security.

Two days ago I got an email from Spotify, reporting a login from Germany. I set up my Spotify account in 2012 and haven't used it since then, so I was curious. On checking, the login email address and password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login. Sure enough, my Amazon account uses the old email address and password (all registered credit cards recently expired, so no possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix, warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow leaked out into the ether. The question is: how? I can't help but notice the coincidence of my recent order with the vitamin company and hot on the heels of that, rogue logins to various services. Does anyone have a view on the most likely explanation? Could it be a weakness in the vitamin company's systems/web page, dishonesty of an employee at the company, or is it more likely to be something at my end (e.g. keystroke logging malware)? I run Macaffee on my laptop and use Google Chrome browser with Win 7.

Thanks. Ant.