That's why you don't put in an automated payment mechanism for the sake of convenience. It's really Lazada's fault if they allow for such things. Customers come from all backgrounds, it's probably safe and easier to bucket them under "naive idiots". Most of these "naive idiots" would gleefully accept convenience despite weakening their data/online security. Hence you get these type of cases.

I only use the MOL payment scheme for Lazada. So it's pretty much impossible for anyone to abuse if the account gets hacked.
I even avoid Maybank debit to minimize my online footprin t& exposure because they use a 3rd party middleware to automate the payment (versus me manually logging into Maybank website).

P.S The Hacker was pretty stupid to think he could get away with, assuming that's really his adddress.
It could be an acquaintance's address.