but AFAICS not a firewall. Does same reasoning apply.
A firewall is probably the single most important thing everybody should do in the interests of security. Most routers have a firewall, and you should leave it enabled never tamper without unless you really know what you are doing. But in this situation, I'm afraid it would have been irrelevant, for the same reason that AV wouldn't have helped.
I really wouldn't lose any sleep over this, and I personally wouldn't even bother changing passwords, though you can if you want. Think about it... if a hacker had got into a personal mailbox it could be a real goldmine of stolen information, so why would he want to give himself away by sending emails from that user, when he can do that without hacking into mailboxes?
Unfortunately, pretty much all of the header fields can be faked and a clever spammer will leave very little, if any, trace of his own identity. I typically receive several hundred such emails a week (for example, from myself to myself), they're just not worth worrying about.
The really important point is the one I made earlier...
It's why we always need to be on our guard when opening mail attachments, even if it appears to have come from somebody we know.
... and no amount of password changes, will alter that. Even AV can't be relied upon, since it may only recognise virus attachments if the virus has been around long enough for it to become known to the AV companies. That doesn't help the first few people to have received it, before it became recognised. If somebody sends you an unexpected or suspicious-looking attachment, make certain they really sent it before opening. It may be obviously genuine if the email text refers, say, to something personal - but always be suspicious.
I believe a lot of spammers have their accounts shut down (or at least, added to network spam filters) after each mailshot they send out, which would probably explain why Chrissie never had a recurrence.