A lot of email accounts get hacked, hotmail, yahoo, not sure about gmail. When you logged and you had the browser save your login info then yes they can access your email. And yes, keyloggers are another way to getting login info.
Depends what you mean by 'into the account'. Some people freak out at spoofed headers because they have zero comprehension of how anything works.
Why wouldn't you just change your password and remove the authorization for existing systems/cookies? Clearly you don't ever change passwords, so you probably also use a shared one across platforms that has the possibility of being leaked from another service.