@peterleinchen, that might be it.

I had a mysterious call the other day. I applied for a new credit card online and had a call from the company to verify the application was genuine. All they asked me were some random things from what I provided in the application. I thought, "what's the point? how could that verify that I am not a scammer applying in someone else's name?" Colleagues explained that scammers may not memorize all the data and a random call back may catch them off the guard. Well, maybe...

A colleague then went on to describe a case of three people on his street finding out that someone had taken a loan in their name. Long story short, it was the postman. He stole their passports (here in the UK, passports are delivered by post) and left enough time between that and the loan fraud that people did not immediately make the connection.

The lesson learned: do no reuse passwords.