Happened to my spouse. Password was more than eight characters, letters, numbers, etc. but I think her work is the likely vulnerability (these free screen savers are great!) No more of that now, obviously.
The awful part was trying to get the account back. Because of Gmail's "Swiss Bank Account" set up, there is no way to prove you are the real user. She lost access to Email, Docs, Calendar. She just kept filling out the form, and getting rejected. Google advises to set a security question, but that was the second thing changed, after the password. Only after filling out the form over and over for 10 days, was she finally judged to be "real", and her password was reset.
For the cloud to take off, there has to be a better structure. A local admin structure? If we were going to start using Google products again fresh, I would sign us up for a free Apps domain, and then give us each user accounts. (When I first signed up for free Webmail, not only did I not know my spouse, I had no idea much of our data-lives would eventually be linked to the account.) That way, if anything untoward happens, I can login as admin from home and reset the accounts. Unfortunately, I don't think there's a way to link personal accounts into an Apps set up. Not yet anyway (crossing fingers).
My other work around is that I set up a proxy double email account, to which my real address forwards everything. If for some reason I need to read my email from an unsecured computer, I log in to the proxy account, where I can read copies of all my mail. If its compromised, I cut it off from the actual account faster than a zombifying limb. Still not a great solution, because all my mail is compromised, but at least I don't lose control of my email address and the rest of my Google account.