Lots of ways, but most likely a hack on a vendor you used. A few years ago, Target was systematically exploited over months and something like 40
million credit card details were taken. With all details, including the CCV which vendors are never meant to store. But many do, including Target at that time. And then they re-transmitted the details over insecure internal networks, including at one point some WiFi networks - which is how the hackers first got in, sitting in cars near the company buildings hacking the insecure wifi
Target paid out hundreds of millions in compensation and fines to the banks as a result of that. And apparently that's not even the biggest in terms of number of details (though I think they were the biggest to have all details including CVV)
Anyway, if they had all your details it's probably something like that - an online or by-phone vendor, or any vendor who knows your address. When it's just card number and CVV it could also be a hack on a store you went into - either a hack or more often crooked employees, who surreptitiously scan the card twice, once for the purchase, once to get the details off (then they manually spot and write down the CVV which isn't stored on the card).
There's online marketplaces and forums where criminals sell card details to one another, often for a few cents a card sold in batches of hundreds of cards at at time. - Ditto funded Paypal accounts, online bank accounts, etc etc.
Lots of ways, sadly!