1) The password was weak and it was just picked, by dictionary search. The weak passwords are login_login, login_digits, only_digits, dictionary_word. Below is an example of a password attempt, such attempts go on 24/7.

2018-09-19 16:15:09 ivanov/ivanov
2018-09-19 16:15:16 ivanov/123456
2018-09-19 16:15:27 ivanov/123456a
2018-09-19 16:15:42 ivanov/111111
2018-09-19 16:15:54 ivanov/ivanov1
2018-09-19 16:16:06 ivanov/654321

2) Use different passwords for different resources. Never use passwords on email accounts that you use on forums, torrent trackers, and social networks. Use password managers in browsers, or separate programs - roboform, keepass.

3)Be careful with Wi-Fi networks, especially public and open networks. Traffic on such networks may be recorded and analyzed for passwords.

4) Don't fall for fake "from support" notifications, fake "bank" web pages, and various "social media alerts". Just hovering your mouse cursor over the link or the sender's address will reveal that the link leads to an entirely different site. If you are not able to determine the fake link yourself, contact the specialists - administrators of your unit.

5) Your computer/device must have a working anti-virus with a regularly updated anti-virus database. Modern viruses can intercept computer traffic and "steal" accounts.