There have been cases of web-based email accounts, such as Hotmail, hacked into and spam email sent. Passwords are changed, and owners cannot access their accounts. Junk messages are also sent through linked chats.
Stolen database - A database containing information such as email addresses and/or usernames and passwords was stolen, and the passwords were stored in plain text or some other easily-recoverable format. Even if the database was taken from another service, if it contained email addresses and passwords, an attacker could try using those together to gain access to email and other accounts.
Sniffed password - The password was "sniffed" (recorded) when it was sent over an unsecure network connection, such as a public Wi-Fi hotspot. Most online services (webmail, instant messaging and so forth) require a secure connection in order to logon, but it is possible for an attacker to monitor traffic, fake login screens, possibly redirect to a non-secure login and so forth.
Password guess - The password was guessed by a "bruteforce" attack. Computers are great for handling automated, repetitive tasks, and guessing a password by trying the most likely combinations of letters, numbers and punctuation marks is something they excel at. Computers and network connections are so fast these days, that it is trivial for them to make guessing attacks against common words, phrases and alphanumeric subsitutions (the number "1" for the letter "L", the number "3" for the letter "E" and so forth) that it is more secure to use a longer passphrase.
Phishing - is a form of social engineering broadcast attack focused on stealing credentials or identity information from any potential target. You've already cited an example of this technique -- when you received friend invitations from unknown people with suspicious email addresses. That's how others start their phishing attack.
Other loopholes, identified by Trend Micro's Cyrus Ramos are exploited by attackers and listed below:
Weak passwords - some users use common words as their passwords -- which is not a good practice. Avoid using simple words like "password", "12345", "admin", "54321", etc. as your password. It will be easy for the bad guys to guess your password if you use a weak password.
Dictionary attack - this is somewhat related to weak passwords. The bad guys will try to use common words to try to guess the password of your account.Other technques are quite old-fashioned already, but they still work. So you should still be aware of the following:
Eavesdropping - is the act of secretly listening to the private conversation of others without their consent. One example is if you're in a public place, the person besides you might be "secretly" listening to the things that you're saying while you're talking to a friend via your mobile phone, face to face conversation, etc. -- waiting for some important information that you may say that might be of use to them.
Shoulder surfing - this is (or should I say was) very common on Internet cafes wherein the person besides you is waiting for you to type in your password and will monitor the movement of your fingers so that they will determine your credentials.
Dumpster diving - is the act of digging through trash in order to obtain information about a target organization or individual. To prevent dumpster diving (or at least reduce its value), all important documents should be shredded or incinerated before being discarded.
Store password safely
If you're the kind of person that writes their passwords or important information on a piece of paper, make sure that you store it on a safe place (not under the keyboard, on a ref/monitor post it, etc.). Also, be wary of the "dumpster diving" technique that's still being used by some bad guys.
Changing the password on a compromised account often works, but it is always a good idea to check with the particular service provider to see if they have any specific or additional recommendations about how to secure the account.
Avoid suspicious accounts
Avoid invites from suspicious accounts on instant messengers, social media and so forth. If you get a suspicious message from someone you know, try contacting them out-of-band (i.e., using a different means than they used to contact you, such as by sending them a text message if they sent you an email) to notify them about the suspicious message(s) you received.
If your Hotmail account has been compromised, here is a tip from Microsoft MVP Corrine Chorney: