No domain registrar should be taking the last four of your credit card number as proof of account identity or ownership. We certainly don't. Have you confirmed they reset the password based on just the last four of the credit card OR was your account's email address itself comprised, allowing them to reset the password via your email address?