re: iTunes account hacked - how?

If you use the same password for multiple sites, it doesn't even matter if you are hacked; the site could be hacked and they can obtain your password hash from the site's database. Using various techniques they will find out your actual password from this hash. They will then have your email address and commonly used password and will try it on other sites.

1) Use a unique password for every site.
2) Use a very long, very complex password to make it more difficult to obtain from the hash.
3) Use a password manager program to store your passwords as if you don't have one the above two points are really difficult for a normal human being
4) Turn on two-factor authentication for all sites that offer it. That way, they need both get your password and have access to your telephone in order to compromise your accounts. You'll also know if someone obtained your password if the authentication request shows up on your phone and you didn't trigger it. You can then change the password.