Email Hacker

Yesterday, I received the following from a friend:

"Dear Ron,
Hope all is well with you. This morning, some Chinese hacker hacked into my gmail account and sent a bunch of e-mails to people I correspond with using this account. What an ordeal! I had to change my password, send a bunch of e-mails to those people explaining what had happened... what a mess. This is the account we use for 'non-work related' and 'non-personal' correspondence, i.e. bills, alumni stuff, lawn-care, etc.
Any advice on how to prevent this from happening? We got so rattled. What if somebody hacked into our bank accounts - could they transfer our money and rob us blind? Anyway, we would really appreciate any advice you could provide us ... I hate this!!
Love,
......."

It is very likely that we've all had an experience that goes something like this...
--Someone we know receives a message from me
--Message is either profane or for some medication or both
--Friend replies to our message with - "Huh - what are you talking about?"
--We disclaim all knowledge of said email

Here was my roughly constructed response:
"Yeah - that is scary!
Do you know for sure that this person actually hacked your gmail account, or was he/she just using your name & return address (there is a difference)?
How do you know it was a Chinese hacker?
The recommended strategy for an actual hack includes:
1) make SURE that your Anti-Virus & Anti-Spyware are up-2-date and effective (good brand)
2) make SURE that all unknown software is removed from your computers
3) use a "strong" password for all accounts (mix of at least 3 types of characters - uppercase, lowercase, symbol, number - and at least 8 characters long)
4) use a different password for each account, OR at least, use a VERY "strong" password for your important accounts
5) some banks offer you a "token-key" (also known as 3-factor authentication) for account access (VERY secure)
6) rarely (preferably NEVER) use a publicly accessible computer to logon to your accounts - Especially important accounts. (doing so on computers infected with "key-loggers" could send your logon info to undesirable people.)
In the case where someone just uses your name and return email address, there really isn't much of a preventative strategy for that. And unfortunately, this technique is very easy to accomplish and nearly untraceable. Luckily though, it's more of an annoyance to you and your contacts than an actual threat."

Now - some would argue the point within the last sentence. Is it really just more of an annoyance? Are the implied assumptions made within that sentence valid assumptions? What might those assumptions be?
--That your friend(s) didn't click on any links in the email
--That you are SURE someone didn't really hack your account
--That the event won't repeat itself over, and over, and over, and over, and over, and over, ...
What do you think?

One of several good resources: http://www.idtheft.gov/

RL