A few good general ideas when it comes to passwords.
Use very strong passwords on anything important or valuable. No simple phrases with just a few extra capital letters or a $ for an “s”. Actually long and strong for real. Maybe even use a random password generator.
Do not reuse your email password on any other system for any other thing that requires a login and password.
Do no reuse any password for anything attached to any sort of financial information.
You can check to see if your email has been compromised at http://haveibeenpwned.com/
No, it wasn’t me. No, nothing of major significance was lost after all was said and done. Yes, it was explained very clearly to the offspring involved. No, she didn’t really send hundreds of emails to or from china. Lesson learned.
It’s common for email to be sent out with a forged sender identity, without compromising the sender’s account. This works because in email, as on paper envelopes, the “from” information is simply supplied by the sender, without enforcement. Or actually, there may be some options for checking various fields in the message, but those are all newer options and not normally enforced.
You can see this at work by looking at the “full headers” or “raw text” format displays of a spam message. Not all of them show this pattern, but many do. If you get an obvious fraud message that claims to be from someone you know, try this out. It may be the person’s email was hacked, but more likely it is merely a forgery created by putting in addresses harvested from stolen address books.
No, in this case her email was hacked. I’m pretty sure she neither sent, nor received, more than 500 emails to/from China on one day, and then her password was changed so she couldn’t get in.