A friend just discovered today that his email has been compromised. Some asshole has gained illegal access to his email and has been reading it and sharing confidential information. His password was "secure", following all best practice guidelines - longer than 8 characters, mixed upper and lower cases, numerical characters, and special characters. Not necessarily easy to crack, and impossible to deduce.
He runs an anti-virus software, a spyware software, a software firewall, keeps Windows always updated, and doesn't experiment with any 3rd party software -- his office machine is all about business.
The best guess is that his system got compromised through a key logger - most likely a physical key logger attached to the keyboard cable. Needless to say, multiple laws have been broken and a crime has been committed.
His best recourse now is to change every password on every system/site he uses and to enhance physical site security with cameras, motion detectors, and new key codes.