You may not know exactly how someone got your Hotmail/Facebook/Gmail/Twitter passwords, but it's a safe bet that you've probably had someone hijack one of your accounts at one point or another. Most of the time the goal is to use your contact list to spread viruses, to use your account to launch a "denial of service" attack on an institution by overwhelming it with requests, or, most harmlessly, to use your identity to promote something, hoping your friends are gullible enough to believe you've been making $7,000 a month working at home. When these things happen it's usually a simple matter of changing your password to regain control.
I had someone repeatedly try to break into my bank account because, idiot like I am, I used the same password for my bank account as I did for email (the actual account number isn't all that hard to get, and thieves sometimes use cameras to record card numbers and PIN codes). The only thing that thwarted a real theft of cash was the fact that I had the verification questions feature turned on and the would-be thief didn't know any of the answers. I now change my password regularly, and I change my personal verification questions regularly as well, using obscure questions that nobody but me would know the answer to.
I've never had my Gmail account hacked, but if it's your primary email and you have any sensitive information in your email or Google Drive then you might want to consider singing up for their two-step verification service — a service that sends a one-time code to your cell phone every time you log in, ensuring that you need more than a user name and password to get in. Google will walk you through it at www.google.com/landing/2step/.
So far Google is one of the only online email clients to offer this. Microsoft Outlook takes a different approach, prompting users to use strong passwords and to change them regularly, while monitoring your account — if someone tries to access you account from China the day after you accessed your account from Whistler, red flags will go up and you'll be asked to authenticate your account again using private security information you provided or a secondary email account.
Google wants to go one step further and is investigating the use of physical keys, such as a USB ring, that could be used as a second or third step of security for Gmail and all of your online accounts.
As for how hackers are getting your user names and passwords in the first place, it depends. Usually it's through a mass theft of IDs from web forums (e.g. Twitter, Gawker, Yahoo) rather than an actual break-in to your computer, or you used a public computer with a keylogger virus on it.
If your computer has been broken into, hackers often leave traces behind — a keylogger, a remote access application, a virus, etc. Here are a few things Windows users can try (courtesy YouTube user ComputerTech251):
If you know how to open up your command line prompt (Windows key plus "R" on Windows 8, or find it in your Accessories folder on Windows 7), type in "msconfig" — this will give you a list of all the processes that are running during startup. Look for any programs where the publisher/company is unknown and do a search for the process on Google.
As well, it's a good idea to open the Task Manager occasionally and have a look at all the processes that are running. If there's anything you don't recognize then look it up immediately.
Another trick is to try typing "system.ini" into your command line and look for something that reads "user = user.drv" which could mean you've been hacked. If a line says "timer=timer.drv" then you're probably okay. It works better on older Windows systems, but you never know.
Yet another option is to type in "netstat –ano" into the command line to find out what processes are "listening" to your activity. If something is listed as "Established" then it could be someone listening in. To find out if it's legitimate, open your Task Manager, select "Columns" under the "View" tab and click on "PID" to see if information matches up with your established connections. If not, you have more work to do.
Copy the IP address next to the established connection into Google to see where it originates — it could be Microsoft or Mozilla doing an update or another legitimate process.
If that doesn't tell you anything, then the next step is to do a restart and do the "netstat –ano" process again before any programs are open. You shouldn't see any established connections because you haven't opened a browser, email client, messaging client or anything to connect to the web. If you do see an established connection, it may be time to open your antivirus software (I recommend Malwarebytes), update it and then make a full scan of your computer.
Always back up your important data. Hackers are usually one step ahead but if your data is secure then you can only lose so much.