Seems like someone forgot to:
- Log out of facebook at a public place including any school, job, café, etc.
- Choose strong passwords (at least 8 ciphers, containing lower- and upper-case letters, numbers and at least one special character, and of course none of it should relate to: Years, Places, Towns, Cities, Zipcodes, Personal things, Names, and Birthdays, or any other known word that can be found in a dictionary or book.)
- Even MORE important is to make up a secret question and answer, that has absolutely no relation to you or only you know. Something you have never told anyone, otherwise even the best password won't protect you, if the "I forgot my password"-question is weak, which it usually is. The secret question(s) and answer(s) are just like your passwords, and they should be equally strong.
- NEVER use the same password across several websites. Use at least different passwords for: E-mail, your computer, social networking sites such as facebook, and especially at work or school.
- Never open attachments in e-mails, unless you are 200% sure you know who the sender is.
- Never open e-mails or allow scripts and images in them to be loaded, if you do not know the sender.
- Use an up2date firewall and antivirus program
- Never use anyone else's USB keys, avoid using your USB key in other computers than your own if possible.
- Don't allow people to use your computer if you don't trust them fully.
- Never log into facebook, your e-mail, etc., at a computer you don't know the security of. The attacker could've compromised this in case it's a school, workplace, etc. The attacker could also be eavesdropping on traffic on public networks.
- Always use WPA2/TKIP on a wireless network with a strong password. If you can, avoid using wireless networks, especially public ones.
- Avoid browsing to links you have no idea what contains, a lot of e-mail spam recently contains links to infected websites that automatically infects your computer.
If you follow all these guidelines, you should generally be quite safe.
Furthermore, you may have to reinstall your computer or just Windows in case you suspect this has been infected.
Last but not least, keep in mind, that if your e-mail gets compromised, everything it's attached to, facebook, twitter, etc., is potentialyl compromised as well, as an attacker can just use the "I forgot my password" feature then, just like you would if you had lost your password.
It's a lot of things to remember, but most of it is common sense and can be every day use quite easily if you're just willing to do so.
Naturally you should try to use "HTTPS" everywhere you can.