My wife's work account did this a few months back, GMail account, no computers were turned on at the time, no FB. I could tell it was different because it spammed all her contacts, and its origin was from gmail servers (I used to hunt spammers so I am pretty good at reading email headers).
I had her tumble her password, and installed two-factor authentication for GMail (Yahoo has two-factor authentication also, Google for it). You install an app on a mobile phone, and enter its 6 digit number when you authenticate to GMail. I figure, now even if her password is guessed/cracked, the attacker won't get in now.
You can go another level up with LastPass and let it choose unique passwords for every site you have an account on. It's free to use on a PC, but you have to pay a small monthly fee to use it on Android. One of the known weaknesses now is people using one username/password for all their online accounts. This is probably an up-and-coming exploit, and was recommended as a thing to do by a security professional recently.