Your assumption was correct; it was indeed an email barrage. This has become a common tactic among identity thieves; they buy something on your credit card, using all of the correct information for their victim so as not to trigger any alarms. Of course, this includes the victim’s actual email address, so they use email-blasting apps to sign the victim up to many different mailing lists, with the intention of tricking the victim into deleting the one clue that they’re an identity theft victim, with the intention of hanging around her house to swipe it off her porch before she finds it. Absolutely call Samsung to report the fraudulent purchase (hopefully they haven’t shipped it yet, if so keep a very close eye on her incoming parcels to try and find it), and her card issuer for the same reason so she can be issued a new card with a new number.
Likely the same way LTT got hacked earlier this year; someone in the company downloaded a disguised piece of malware, which took about 30 seconds to steal all the session tokens in their web browser. Put simply, a session token is basically a key card that grants your computer access to your account when asked, provided that you haven’t hit log out, which invalidates it and then requires your password again.