The first 4 to 6 digits of a credit card number are the bank identification number or BIN. The information needed to decode a BIN is publicly available, with some effort, and so anyone could tell from a credit card number what institution issued it, what bank it draws on, whether its a personal or business card, etc.
Suppose your credit card number was exposed in a data breach. Someone makes a suspicious purchase with your card, the issuer contacts you, you cancel the card, and you get a new card from the same source. The number can no longer be used to make purchases on your account, but what information did it leave behind?
The cancelled number might tell someone where you used to bank, which is probably where you still bank. And it may tell them the first few digits of your new card since the new card is issued by the same institution [1]. If the old BIN doesn’t directly reveal your new BIN, it at least narrows down the possibilities.
The information in your BIN, by itself, will not identify you, but it does provide clues that might lead to identifying you when combined with other information.
Related posts
[1] According to Andrew in the comments, American Express often changes credit card numbers as little as possible when issuing a replacement, changing only one content digit and the checksum.
Even better, when AmEx reissues a card the new number is completely predictable from the old one, typically only differing in two digits (one significant digit plus the checksum).
I used to work for a credit card processing software company, and I discovered that with only the last four digits, you can essentially execute the Luhn algorithm in reverse and generate a set of 100 luhn-valid card numbers. (I wrote some code to do this). By knowing the person’s Banking institution’s set of bin numbers you can probably reduce that set down quite a bit. (Never did this part, but I suppose its possible).