There is another interface to Gmail as well and that is whatever protocol that the official Gmail application uses to talk to their servers.

The Gmail application on my Android phone can access my Gmail account even with IMAP and POP3 disabled. There doesn't appear to be any mechanism to disable access via the Gmail application.

I was told that some keyloggers just read what is transmitted in the fields and doesn't actually log your keystrokes. How true that is, I have no idea.

I'm not sure how it will read what gets transmitted on a secure connection though.

Without knowing exactly what the attackers did, it's hard to know. Maybe they found a cross-site scripting vulnerability or browser hack and were able to get JavaScript into your Gmail client to extract your login credentials. Hard to say. Unsurprisingly, Google is quite proactive at dealing with these sorts of attacks.

If you're using Google with your own domain, you can sign up for two-factor authentication. I've been using it for a while now and I'm quite happy with it. I'm running the Google Authenticator app on my Android phone, such that if I need to log in from a new machine, I have to type in the additional number alongside my password. Also interesting, Google effectively invalidated my password for IMAP and the like. They instead use a web form that generates separate one-time passwords for each place you'd normally use a password (home machine IMAP, work machine IMAP, PicasaWeb plugin for Adobe Lightroom, Android phone, etc.).

Needless to say, it's a bit bumpy getting it set up, but after that it's remarkably painless and potentially more resistant to these sorts of account hijacking attacks. Example: even if somebody could steal the credentials inside your browser, and thus work around the need to have a new one-time-password, I'll bet that the new IP address disagrees with the credentials so account access fails. I already feel sorry for the poor Google engineer who had to make all of this work with variable IP addresses behind NATs.