The only thing that would worry me, based on what you said is that certain webmail providers will still allow an existing "session" to connect even when you change password. So, if they still have access to your email then it could be a genuine attack.

Assuming you are using one of these webmail services, you should see if there's a way to kill old sessions. Clear all the old sessions, change password again and change BAEC password again.

Just to be safe. It's probably just an accident as chistery suggests. But, better safe than without avios :P