CNet reports that Orbitz was compromised, stating "Orbitz has notified law enforcement authorities about a recent security breach that has resulted in its customers' e-mail addresses falling into the hands of spammers." Apparently Orbitz is trying to dodge the California notification law by claiming "no indication that credit card information had been compromised."
Orbitz uses are reporting receiving spam to email addresses used only at Orbitz. I am an Orbitz user, but the email address I use isn't exclusively for Orbitz. However, I hardly get spam to the account I use for Orbitz. For the first 17 days of October, I received 5 spam emails. Over the last 12 days, I've received 20. That's not scientific, but something clearly changed recently.
It's likely that if intruders compromised Orbitz's account list they stole credit cards as well. This is NOT based on any "insider knowledge" of Orbitz or this case. I make this assessment based on experience working similar cases elsewhere. Keep an eye on your statements (online or offline) and report suspicious activity to the card issuer immediately. Changing your Orbitz password is a good idea too.