They absolutely are. Fun example: when Revolut launched in Japan few years back they had a period of a relatively explosive success (especially within the immigrant community), so most of the cards of the period were issued with the same expiration month and with the same IIN (I'm assuming specific to Japan as well) which left very little entropy and lead to brute-force attacks via merchants not requiring 3DS (Uber etc.). Within only one community (approx. 1.5k people) we have had a handful of a 100% verified cases when the card was compromised without any exposure at all (i.e. the card was not used online or offline).

In all cases Revolut promptly reverted the charges and eventually they did a complete reissue of the cards for Japanese market (not sure how they've got around the entropy issue: maybe they've randomized the expiry dates or spread out IINs some more).