Originally Posted by
r00ty
The only thing that would worry me, based on what you said is that certain webmail providers will still allow an existing "session" to connect even when you change password. So, if they still have access to your email then it could be a genuine attack.
Assuming you are using one of these webmail services, you should see if there's a way to kill old sessions. Clear all the old sessions, change password again and change BAEC password again.
Just to be safe. It's probably just an accident as chistery suggests. But, better safe than without avios :P
Unlikely.
Firstly you have to specifically set webmail clients to have an indefinite session, by default they expire.
Secondly, even for sessions set to not expire, all the major webmail clients force reauthorisation on next mouse click if a password change has been detected.