The most common occasion for this happening is on shared terminals. Has she used an internet cafe/hotel lobby/airport lounge PC since she's had the account? I'd venture to guess yes, at some point, right? Keyloggers there can lie dormant until the thief decides to parse out her password.

Speaking as an ex-employee, you'll never find a human at Google for this sort of problem. Your daughter has already fixed it by deleting the filter, so there's nothing Google can do at this point that wouldn't involved mining server logs, etc. That's not going to happen without a subpoena and proof of a crime (at the least).

If it had _just_ happened, she could learn more from the "last logged in" details at the bottom of the Gmail page, but that's likely much more recent than the original filter creation.

FYI, for those of you that need to use a shared terminal, use HTTPS (as above, which limits what network sniffers can get at) and also use this method for logging in:

for (each pwd character){
Give focus to anywhere but the pwd field;
Type some random characters;
Give focus to the pwd field;
Type the next character of the pwd}
Submit;

As a bonus, type the password out of order by using the mouse to position your cursor in different places. So for "password" type "ord", click to the left, type the "ssw", click to the end, type nonsense, click to the left, type "pas", go to the end, delete the nonsense, then hit submit.

(See this paper for more details on the method and how it defeats most keyloggers: http://cups.cs.cmu.edu/soups/2006/po...r_abstract.pdf )