There a major evidence that we are receiving a botnet from email or script in HTML I've read somewhere, that script will run in the background especially if you bought something online, also I highly believe that it is possible as I practice Javascript and Python it could work out if a black-hat-hacker gets their hand in our Laptop/Desktop, it is a different story if you are using the an Android/IOS phone it requires a different kind of script.

So yeah every address is vulnerable as long as we are using it online, they just only need a manipulating script to work everything out.